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Title: Identity Based Service System 
18 October 2006 

1 5 Assistant Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Declaration of Prior Invention to Overcome 

20 Cited Patent or Publication Pursuant to 37 CFR 1.131 - Michael A. Glenn for 
Steven Jeromy Carriere 

1. My name is Michael A. Glenn. I am the registered attorney duly appointed by 
25 the inventors of the invention in the subject patent application. 

2. I have reviewed the following documents cited by the Examiner: 

(a) Bhatnagar et al. (U. S. Pub. No. 20050021964 Al); and 
30 (b) Rozmus et al. (U.S. Pub. No. 20040267870). 

3. The earliest effective priority date of above-mentioned reference (a) is July 
25, 2003. The earliest effective priority date of above-mentioned reference (b) is 
June 26, 2003. The conception of the claimed subject matter of the invention 

35 occurred prior to the specified dates of said reference (a) and reference (b), and 
was coupled with due diligence from prior to said reference dates to the filing of 
the above mentioned application. In support of this, attached are the following 
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documents, Exhibits A-M below. Neither reference claims the same subject 
matter as that claimed in the parent application. 

Namely, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
5 above mentioned reference (a) and (b), establish conception and due diligence 
of Claim 1 because such exhibits show a system, comprising: 

at least one first entity comprising any of a user, a user agent and a 
principal; 

an authentication agency; 
10 means for sending a login request from the first entity to the authentication 

agency; 

means for receiving an assertion at the first entity from the authentication 
agency in response to the log in request; 

means for authenticating the first entity at a participant with the received 
15 assertion; 

means for sending a request for a service on behalf of the first entity from 
a second entity comprising any of the participant and a service consumer 
associated with the participant to any of the authentication agency and a 
discovery service associated with the authentication agency, using the assertion; 
20 and 

means for an sending an authorization from the authentication agency to 
the second entity for the requested service in response to the sent request if the 
principal is enabled for the requested service. 

25 Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating above 
mentioned reference (a) and (b), also establish conception and due diligence of 
Claim 1 1 because exhibits show a system, comprising: 

an authentication agency for authenticating at least one first entity 
comprising any of a user, a user agent and a principal, and for sending 
30 assertions to the first entities; and 

at least one second entity comprising 

means for receiving the assertions from the first entities. 
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means for authenticating the first entities at the second entity with 
the received assertions, 

means for sending requests for service on behalf of the first entities 
to any of the authentication agency and a discovery service associated 
with the authentication agency, using the received authentication 
information from said first entities, 

means for receiving authorizations sent from the authentication 
agency in response to the sent requests if the first entities are enabled for 
the requested services; and 

means for invoking the requested authorized services with the received 
authorizations. 

Furthermore, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. 
predating above mentioned reference (a) and (b), also establish conception and 
due diligence of Claim 23, because exhibits show a system, comprising: 

sending a login request from a first entity to an authentication agency, the 
first entity comprising any of a user, a user agent and a principal; 

receiving an assertion at the first entity from the authentication agency in 
response to the log in request; 

authenticating at a participant through the first entity with the received 
assertion; 

sending a request for a service on behalf of the principal from a second 
entity comprising any of the participant and a service consumer associated with 
the participant to any of the authentication agency and a discovery service 
associated with the authentication agency, using the assertion; and 

sending an authorization from the authentication agency to the second 
entity for the requested service in response to the sent request if the first entity is 
enabled for the requested service. 

In addition, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
above mentioned reference (a) and (b), also establish conception and due 
diligence of Claim 33, because exhibits show a process, comprising the steps of: 
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providing an authentication agency networked to a service; 
establishing an identity at the authentication agency for a first entity 
comprising any of a user, a user agent and a principal; 

sending authentication information from the authentication agency to the 
6 first entity; 

authenticating the first entity at a participant with the authentication 
information; 

sending a request for a service on behalf of the principal from a second 
entity comprising any of the participant and a service consumer associated with 
10 the participant to any of the authentication agency and a discovery service 
associated with the authentication agency; 

sending an authorization from the authentication agency to the second 
entity to access the service on behalf of the first entity if the first entity is enabled 
for the service by the authentication agency; and 
15 establishing a link between the second entity and the service, based upon 

the authorization. 

Support for Claims 1 , 1 1 , 23 and 33 is seen in Exhibit A, throughout the draft of 
the Summary, Specification and Claims of Exhibit A, Item 2, as seen at least on 
20 page 4, lines 8-14 (Summary); on page 5, line 30, to page 9, line 23; in Claims 1, 
11, 22 and 32; and in Figures 1-6, 9 and 11-16 of Exhibit A, Item 3, wherein a 
first entity comprises at least any of a user and a principal, and an identity 
provider 14 acts as an authentication agency. 

25 4. The Exhibits. 

It should be appreciated that some of the documents listed hereinbelow show 
the date on which they were printed, wherein the date reflects the printed date 
and not the date of creation of the document. 

30 

Exhibit A. 

May 14, 2003: 
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Item 1) A copy of an email with Subject: Re: AOL0091 draft comments 
needed, which includes a request for identification of inventors to "get the 
drafts out for review". 

5 

Attached to the email are documents, including a draft of the Specification 
with Claims and Drawings: 

Item 2) Application Draft Document, 'ADL0091.App.V1 4.15.03.doc; and 

10 

Item 3) Application Drawings Draft Document, Dwgs 5.13.03.v1.pdf. 

Exhibit B. 

May 15, 2003: 

15 

Item 1) A copy of an email with Subject: Here you go!!!, which includes 
contact information for at least one inventor 

Exhibit C. 

20 May 15, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes coordination with Identification of possible inventors. 

25 Exhibit D. 

May 15,2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes contact information for possible inventors. 

30 

Exhibit E. 
May 22, 2003: 



5 



Application No. 10/678,910 



Attorney Docket No. AOL0091 



Item 1) A copy of an email dated May 22, 2003 with Subject: Re: AOL0091 draft 
comments needed, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

5 

Attached to the email are documents, including a draft of the Specification with 
Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V1 4.15.03.doc; and 

10 

Item 3) Application Drawings Draft Document, AOL0091.Dwgs.v1.pdf. 
Exhibit F. 

May 22, 2003 and June 1 1 . 2003: 

15 

Item 1) A copy of an email dated June 1 1 , 2003 with Subject: Re: AOL0091 draft 
review, 2nd request, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

20 Item 2) Attached to the email of Item 1 is the appended Email with Attached 
Documents of Exhibit E, comprising: 

Item 3) Application Draft Document, 'AOLOOOLApp.VI 4.15.03.doc; and 
25 Item 4) Application Drawings Draft Document, AOL0091 .Dwgs.vl .pdf . 

ExIiibitG. 

July 17, 2003: 

30 Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
Due ASAP!; 
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Email refers to review of Application draft, with comments provided by David Eli 
Wexelblat. 

Exhibit H. 

5 July 21, zoos- 
Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 

Due ASAP!; 

10 Email refers to review of Application draft and comments provided by Norihiro 
Edwin Aoki. 

Attached to the email was the following document: 

15 Item 2) Application Draft Redline Document 'AOL0091.App.V1 4.15.03 EA'. 

Exhibit], 
July 23, 2003: 

20 Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
DueASAPI; 

Email refers to the forwarding of comments from Edwin Aoki and David 
Wexelblat for incorporation into Application, and submission of inventor 
25 information for formal documents. 

Exhibit J. 

July 23, 2003: 

30 Item 1) A copy of an email with Subject: Re: AOL0091 Signature Forms!; 
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Email refers to identification of Chris Toomey as an inventor, attached signature 
form, and an attached Application for review by Chris Toomey. 

Attached to the email are the following documents: 

5 

Item 2) Assignmentdoc; and 
Item 3) DecPOA.doc. 

10 Exhibit K. 

August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: AOL0091 
Second Patent Draft for Comments ASAP, 

15 

with a request for review by Conor Cahill, Edwin Aoki, David Wexelblat and 
Jeromy Carriere. 

Attached to the email are documents, including a draft of the Specification with 
20 Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V2.8.1 4.03.doc; and 

Item 3) Application Drawings Draft Document, AOL0091.Dwgs.v2.pdf. 

25 

Exhibit L. 

August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: Re: AOL0091 
30 Second Patent Draft for Comments ASAP; 
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Wherein Edwin Aoki notes that he fonwarded the request (of Exhibit K) to Jim 
Roskind & Chris Toomey. 

Exhibit M. 

5 August 29, 2003: 

Item 1) A copy of an email with Subject: AOL0091 - Final Draft for Filing & 
Inventor Disclosure Form; 

10 Email refers to pending delivery of formal drawings, and documents attached to 
the email, including the Application and an inventor Disclosure forni. 

Also attached to the email is email confirmation for approval to file from Conor 

Cahill to Applicant's representative, Don Hendricks, from an email of 08/29/03 
15 with Subject: Re: AOL0091 Fourth Draft of Figures for Comments ASAP. 

5. I am one of the inventors that used each of the attached documents shown in 
Exhibits A, E, F, H, J, and K. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; 
and Exhibit F, Items 3 and 4 contain a description of exemplary embodiments of 

20 the invention. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; and Exhibit F, 
Items 3 and 4 were created before June 26, 2003 and show a conception date of 
the invention prior to both the effective date of July 25, 2003 for Reference (a) 
and before the effective date of June 26, 2003 of Reference (b). 

25 Exhibit H, Item 2 also contains a description of exemplary embodiments of the 
invention, and was created before the effective date of July 25, 2003 for 
Reference (a). 

Exhibits A - M establish due diligence from conception prior to the prior art of 
30 reference to the filing of the patent application. 

6. The above-cited application was subsequently filed on 02 October 2003. 
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7. i hereby acknowledge that willful false statements and the like are punishable 
by fine or imprisonment, or both (18 U.S.C. 1001) and may jeopardize the validity 
of my application or any patent issuing thereon. All statements made of my own 
5 knowledge are true and ail statements made on information or beliefs are 
believed to be true. 





10 Michael A. Glenn 



Date 



Attorney 
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Title: Identity Based Service System 
18 October 2006 

15 Assistant Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Declaration of Prior Invention to Overcome 

20 Cited Patent or Publication Pursuant to 37 CFR 1.131 - IMichaei A. Glenn for 
James A. Roskind 

1. My name is Michael A. Glenn. I am the registered attorney duly appointed by 
25 the inventors of the invention in the subject patent application. 

2. I have reviewed the following documents cited by the Examiner: 

(a) Bhatnagar et al. (U. S. Pub. No. 20050021964 A1); and 
30 (b) Rozmus et al. (U.S. Pub. No. 20040267870). 

3. The earliest effective priority date of above-mentioned reference (a) is July 
25, 2003. The earliest effective priority date of above-mentioned reference (b) is 
June 26, 2003. The conception of the claimed subject matter of the invention 

35 occurred prior to the specified dates of said reference (a) and reference (b), and 
was coupled with due diligence from prior to said reference dates to the filing of 
the above mentioned application. In support of this, attached are the following 
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documents, Exhibits A-M below. Neither reference claims the same subject 
matter as that claimed in the parent application. 

Namely, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
5 above mentioned reference (a) and (b), establish conception and due diligence 
of Claim 1 because such exhibits show a system, comprising: 

at least one first entity comprising any of a user, a user agent and a 
principal; 

an authentication agency; 
10 means for sending a login request from the first entity to the authentication 

agency; 

means for receiving an assertion at the first entity from the authentication 
agency in response to the log in request; 

means for authenticating the first entity at a participant with the received 
15 assertion; 

means for sending a request for a service on behalf of the first entity from 
a second entity comprising any of the participant and a service consumer 
associated with the participant to any of the authentication agency and a 
discovery service associated with the authentication agency, using the assertion; 
20 and 

means for an sending an authorization from the authentication agency to 
the second entity for the requested service in response to the sent request if the 
principal is enabled for the requested service. 

25 Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating above 
mentioned reference (a) and (b), also establish conception and due diligence of 
Claim 1 1 because exhibits show a system, comprising: 

an authentication agency for authenticating at least one first entity 
comprising any of a user, a user agent and a principal, and for sending 
30 assertions to the first entities; and 

at least one second entity comprising 

means for receiving the assertions from the first entities. 
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means for authenticating ttie first entities at the second entity with 
the received assertions, 

means for sending requests for service on behalf of the first entities 
to any of the authentication agency and a discovery service associated 
5 with the authentication agency, using the received authentication 

information from said first entities, 

means for receiving authorizations sent from the authentication 
agency in response to the sent requests if the first entities are enabled for 
the requested services; and 
10 means for invoking the requested authorized services with the received 

authorizations. 

Furthermore, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. 
predating above mentioned reference (a) and (b), also establish conception and 
15 due diligence of Claim 23, because exhibits show a system, comprising: 

sending a login request from a first entity to an authentication agency, the 
first entity comprising any of a user, a user agent and a principal; 

recelvirig an assertion at the first entity from the authentication agency in 
response to the log in request; 
20 authenticating at a participant through the first entity with the received 

assertion; 

sending a request for a service on behalf of the principal from a second 
entity comprising any of the participant and a service consumer associated with 
the participant to any of the authentication agency and a discovery service 
25 associated with the authentication agency, using the assertion; and 

sending an authorization from the authentication agency to the second 
entity for the requested service in response to the sent request if the first entity is 
enabled for the requested service. 

30 In addition. Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
above mentioned reference (a) and (b), also establish conception and due 
diligence of Claim 33, because exhibits show a jDrocess, comprising the steps of: 
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providing an authentication agency networl^ed to a service; 
establishing an identity at the authentication agency for a first entity 
comprising any of a user, a user agent and a principal; 

sending authentication information from the authentication agency to the 
5 first entity; 

authenticating the first entity at a participant with the authentication 
information; 

sending a request for a service on behalf of the principal from a second 
entity comprising any of the participant and a service consumer associated with 
10 the participant to any of the authentication agency and a discovery service 
associated with the authentication agency; 

sending ah authorization from the authentication agency to the second 
entity to access the service on behalf of the first entity if the first entity is enabled 
for the service by the authentication agency; and 
15 establishing a link between the second entity and the service, based upon 

the authorization. 

Support for Claims 1, 11, 23 and 33 is seen in Exhibit A, throughout the draft of 
the Summary, Specification and Claims of Exhibit A, Item 2, as seen at least on 
20 page 4, lines 8-14 (Summary); on page 5, line 30, to paige 9, line 23; in Claims 1 , 
11, 22 and 32; and in Figures 1-6, 9 and 11-16 of Exhibit A, Item 3, wherein a 
first entity comprises at least any of a user and a principal, and an identity 
provider 14 acts as an authentication agency. 

25 4. The Exhibits. 

It should be appreciated that some of the documents listed hereinbelow show 
the date on which they were printed, wherein the date reflects the printed date 
and not the date of creation of the document. 

30 

Exhibit A. 
May 14, 2003: 
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Item 1) A copy of an email with Subject: Re: AOL0091 draft comments 
needed, which includes a request for identification of inventors to "get the 
drafts out for review". 

5 

Attached to the email are documents, including a draft of the Specification 
with Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V1 4.15.03.doc; and 

10 

Item 3) Application Drawings Draft Document, Dwgs 5.13.03.v1.pdf. 

Exhibit B. 
May 15, 2003: 

15 

Item 1) A copy of an email with Subject: Here you go!!!, which includes 
contact information for at least one inventor 

Exhibit C. 

20 May 15, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes coordination with identification of possible inventors. 

25 Exhibit D. 

May 15, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes contact infomiation for possible inventors. 

30 

Exhibit E. 
May 22. 2003: 
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Item 1) A copy of an email dated May 22, 2003 with Subject: Re: AOL0091 draft 
comments needed, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

5 

Attached to the email are documents, including a draft of the Specification with 
Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V1 4.15.03.doc; and 

10 

Item 3) Application Drawings Draft Document, AOL0091.Dwgs;v1.pdf . 
Exhibit F. 

May 22, 2003 and June 11, 2003: 

Item 1) A copy of an email dated June 1 1 , 2003 with Subject: Re: AOL0091 draft 
review, 2nd request, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

20 Item 2) Attached to the email of Item 1 is the appended Email with Attached 
Documents of Exhibit E, comprising: 

Item 3) Application Draft Document, 'AOL0091.App.V1 4.15.03.doc; and 
25 Item 4) Application Drawings Draft Document, AOL0091 .Dwgs.vl .pdf . 

Exhibit G. 

July 17, 2003: 

30 Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
DueASAPI; 
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Email refers to review of Application draft, with comments provided by David Eli 
Wexelblat. 

Exhibit H. 

5 July 21, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
DueASAPI; 

10 Email refers to review of Application draft and comments provided by Norihiro 
Edwin Aoki. 

Attached to the email was the following document: 
1 5 Item 2) Application Draft Redline Document 'AOL0091 .App.VI 4.1 5.03 EA'. 

Exhibit I. 

July 23, 2003: 

20 Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
Due ASAP!; 

Email refers to the forwarding of comments from Edwin Aoki and David 
Wexelblat for incorporation into Application, and submission of inventor 
25 information for formal documents. 

Exhibit J. 

July 23, 2003: 

30 Item 1) A copy of an email with Subject: Re: AOL0091 Signature Forms!; 
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Email refers to identification of Chris Toomey as an inventor, attached signature 
form, and an attached Application for review by Chris Toomey. 

Attached to the email are the following documents: 

5 

Item 2) Assignment.doc; and 
Item 3) Dec:POA.doc. 

10 Exhibit K. 

August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: AOL0091 
Second Patent Draft for Comments ASAP, 

15 

with a request for review by Conor Cahill, Edwin Aoki, David Wexelblat and 
Jeromy Carriere. 

Attached to the email are documents, including a draft of the Specification with 
20 Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V2. 8.14.03.doc; and 

Item 3) Application Drawings Draft Document, AOL0091 . Dwgs. v2.pdf . 

25 

Exhibit L. 

August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: Re: AOL0091 
30 Second Patent Draft for Comments ASAP; 
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Wherein Edwin Aoki notes that he forwarded the request (of Exhibit K) to Jim 
Roskind & Chris Toomey. 

Exhibit M. 

5 August 29, 2003: 

Item 1) A copy of an email with Subject: AOL0091 - Final Draft for Filing & 
Inventor Disclosure Form; 

1 0 Email refers to pending delivery of formal drawings, and documents attached to 
the email, including the Application and an Inventor Disclosure fomn. 

Also attached to the email is email confirmation for approval to file from Conor 
Cahill to Applicant's representative, Don Hendricks, from an email of 08/29/03 
1 5 with Subject: Re: AOL0091 Fourth Draft of Figures for Comments ASAP. 

5. I am one of the inventors that used each of the attached documents shown in 
Exhibits A, E, F, H, J, and K. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; 
and Exhibit F, Items 3 and 4 contain a description of exemplary embodiments of 

20 the invention. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; and Exhibit F, 
Items 3 and 4 were created before June 26, 2003 and show a conception date of 
the Invention prior to both the effective date of July 25, 2003 for Reference (a) 
and before the effective date of June 26, 2003 of Reference (b). 

25 Exhibit H, Item 2 also contains a description of exemplary embodiments of the 
invention, and was created before the effective date of July 25, 2003 for 
Reference (a). 

Exhibits A - M establish due diligence from conception prior to the prior art of 
30 reference to the filing of the patent application. 

6. The above-cited application was subsequently filed on 02 October 2003. 
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7. I hereby acknowledge that willful false statennents and the like are punishable 
by fine or imprisonment, or both (18 U.S.C. 1001) and may jeopardize the validity 
of my application or any patent issuing thereon. All statements made of my own 
5 knowledge are true and all statements made on information or beliefs are 
believed to be true. 



10 




Michael A. Glenn 




Attorney 
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Title: Identity Based Service System 
18 October 2006 

1 5 Assistant Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Declaration of Prior Invention to Overcome 

20 Cited Patent or Publication Pursuant to 37 CFR 1.131 - Michael A. Glenn for 
Christopher Newell Toomey 

1. My name is Michael A. Glenn. I am the registered attorney duly appointed by 
25 the inventors of the invention in the subject patent application. 

2. I have reviewed the following documents cited by the Examiner: 

(a) Bhatnagar et al. (U. S. Pub. No. 20050021964 Al); and 
30 (b) Rozmus et al. (U.S. Pub. No. 20040267870). 

3. The earliest effective priority date of above-mentioned reference (a) is July 
25, 2003. The earliest effective priority date of above-mentioned reference (b) is 
June 26, 2003. The conception of the claimed subject matter of the invention 

35 occurred prior to the specified dates of said reference (a) and reference (b), and 
was coupled with due diligence from prior to said reference dates to the filing of 
the above mentioned application. In support of this, attached are the following 
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documents, Exhibits A-M below. Neither reference claims the same subject 
matter as that claimed in the parent application. 

Namely, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
5 above mentioned reference (a) and (b), establish conception and due diligence 
of Claim 1 because such exhibits show a system, comprising: 

at least one first entity comprising any of a user, a user agent and a 
principal; 

an authentication agency; 
1 0 means for sending a login request from the first entity to the authentication 

agency; 

means for receiving an assertion at the first entity from the authentication 
agency in response to the log in request; 

means for authenticating the first entity at a participant with the received 
15 assertion; 

means for sending a request for a service on behalf of the first entity from 
a second entity comprising any of the participant and a service consumer 
associated with the participant to any of the authentication agency and a 
discovery service associated with the authentication agency, using the assertion; 
20 and 

means for an sending ^n authorization from the authentication agency to 
the second entity for the requested service in response to the sent request if the 
principal is enabled for the requested service. 

25 Exhibits A-M, spanning the date from (4/03) to (10/03), /.©. predating above 
mentioned reference (a) and (b), also establish conception and due diligence of 
Claim 1 1 because exhibits show a system, comprising: 

an authentication agency for authenticating at least one first entity 
comprising any of a user, a user agent and a principal, and for sending 
30 assertions to the first entities; and 

at least one second entity comprising 

means for receiving the assertions from the first entities, 
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means for authenticating ttie first entities at the second entity with 
the received assertions, 

means for sending requests fior service on behalf of the first entities 
to any of the authentication agency and a discovery service associated 
5 with the authentication agency, using the received authentication 

information from said first entities, 

means for receiving authorizations sent from the authentication 
agency in response to the sent requests if the first entities are enabled for 
the requested services; and 
10 means for invoking the requested authorized services with the received 

authorizations. 

Furthermore, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. 
predating above mentioned reference (a) and (b), also establish conception and 
1 5 due diligence of Claim 23, because exhibits show a system, comprising: 

sending a login request from a first entity to an authentication agency, the 
first entity comprising any of a user, a user agent and a principal; 

receiving an assertion at the first entity from the authentication agency in 
response to the log in request; 
20 authenticating at a participant through the first entity with the received 

assertion; 

sending a request for a service on behalf of the principal from a second 
entity comprising any of the participant and a service consumer associated with 
the participant to any of the authentication agency and a discovery service 
25 associated with the authentication agency, using the assertion; and 

sending an authorization from the authentication agency to the second 
entity for the requested service in response to the sent request if the first entity is 
enabled for the requested service. 

30 In addition, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
above mentioned reference (a) and (b), also establish conception and due 
diligence of Claim 33, because exhibits show a process, comprising the steps of. 
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providing an authentication agency networked to a service; 
establishing an identity at the authentication agency for a first entity 
comprising any of a user, a user agent and a principal; 

sending authentication information from the authentication agency to the 
5 first entity; 

authenticating the first entity at a participant with the authentication 
information; 

sending a request for a service on behalf of the principal from a second 
entity comprising any of the participant and a service consumer associated with 
10 the participant to any of the authentication agency and a discovery service 
associated with the authentication agency; 

sending an authorization from the authentication agency to the second 
entity to access the service on behalf of the first entity if the first entity is enabled 
for the service by the authentication agency; and 
15 establishing a link between the second entity and the service, based upon 

the authorization. 

Support for Claims 1 , 1 1 , 23 and 33 is seen in Exhibit A, throughout the draft of 
the Summary, Specification and Claims of Exhibit A, Item 2, as seen at least on 
20 page 4, lines 8-14 (Summary); on page 5, line 30, to page 9, line 23; in Claims 1 , 
11, 22 and 32; and in Figures 1-6, 9 and 11-16 of Exhibit A, Item 3, wherein a 
first entity comprises at least any of a user and a principal, and an identity 
provider 14 acts as an authentication agency. 

25 4. The Exhibits. 

It should be appreciated that some of the documents listed hereinbelow show 
the date on which they were printed, wherein the date reflects the printed date 
and not the date of creation of the document. 

30 

Exhibit A. 
May 14, 2003: 
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Item 1) A copy of an email with Subject: Re: AOL0091 draft comments 
needed, which includes a request for identification of inventors to "get the 
drafts out for review". 

5 

Attached to the email are documents, including a draft of the Specification 
with Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091 .App.VI 4.15.03.doc; and 

10 

Item 3) Application Drawings Draft Document, Dwgs 5.1 3.03.v1 .pdf . 

Exhibit B. 

May 15, 2003: 

15 

Item 1) A copy of an email with Subject: Here you go!!!, which includes 
contact information for at least one inventor 

Exhibit C. 

20 May 15, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes coordination with identification of possible inventors. 

25 Exhibit D. 

May 15, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes contact information for possible inventors. 

30 

Exhibit E. 
May 22. 2003: 
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Item 1) A copy of an email dated May 22, 2003 with Subject: Re: AOL0091 draft 
comments needed, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

5 

Attached to the email are documents, including a draft of the Specification with 
Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V1 4.15.03.doc; and 

10 

Item 3) Application Drawings Draft Document, AOL0091.Dwgs.v1.pdf . 
Exhibit F. 

May 22, 2003 and June 1 1 , 2003: 

15 

Item 1) A copy of an email dated June 11, 2003 with Subject: Re: AOL0091 draft 
review, 2nd request, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 



20 Item 2) Attached to the email of Item 1 is the appended Email with Attached 
Documents of Exhibit E, comprising: 

Item 3) Application Draft Document, 'AOL0091.App.V1 4.15.03.doc; and 
25 Item 4) Application Drawings Draft Document, AOL0091 .Dwgs.vl .pdf . 

Exhibit G. 

July 17, 2003: 

30 Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 

Due ASAP!; 
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Email refers to review of Application draft, with comments provided by David Eli 
Wexelblat. 

Exhibit H. 

5 July 21, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
Due ASAPI; 

10 Email refers to review of Application draft and comments provided by Norlhiro 
Edwin Aoki. 

Attached to the email was the following document: 
1 5 Item 2) Application Draft Redline Document 'AOL0091 .App.VI 4.1 5.03 EA'. 

Exhibit I. 

July 23, 2003: 

20 Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
Due ASAP!; 

Email refers to the forwarding of comments from Edwin Aoki and David 
Wexelblat for incorporation into Application, and submission of inventor 
25 information for formal documents. 

Exhibit J. 

July 23, 2003: 

30 Item 1) A copy of an email with Subject: Re: AOL0091 Signature Forms!; 
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Email refers to identification of Cliris Toomey as an inventor, attached signature 
form, and an attached Application for review by Chris Toomey. 

Attached to the email are the following documents: 

5 

Item 2) Assignment.doc; and 
Item 3) Dec:POA.doc. 

10 Exhibit K. 

August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: AOL0091 
Second Patent Draft for Comments ASAP, 

with a request for review by Conor Cahill, Edwin Aoki, David Wexelblat and 
Jeromy Carriere. 

Attached to the email are documents, including a draft of the Specification with 
20 Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V2.8.1 4.03.doc; and 

Item 3) Application Drawings Draft Document, AOL0091.Dwgs.v2.pdf'. 

25 

Exiiibit L. 

August 14, 2003; 

Item 1) A copy of an email dated August 14, 2003 with Subject: Re: AOL0091 
30 Second Patent Draft for Comments ASAP; 



8 



Application No. 10/678,910 Attorney Docket No. AOL0091 

Wherein Edwin Aoki notes that he forwarded the request (of Exhibit K) to Jim 
Roskind & Chris Toomey. 

Exhibit M. 

5 August 29, 2003: 

Item 1) A copy of an email with Subject: AOL0091 - Final Draft for Filing & 
Inventor Disclosure Form; 

10 Email refers to pending delivery of fonnai drawings, and documents attached to 
the email, including the Application and an Inventor Disclosure form. 

Also attached to the email is email confirmation for approval to file from Conor 
Cahill to Applicant's representative, Don Hendricks, from an email of 08/29/03 
1 5 with Subject: Re: AdL0091 Fourth Draft of Figures for Comments ASAP. 

5. I am one of the inventors that used each of the attached documents shown in 
Exhibits A, E, F, H, J, and K. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; 
and Exhibit F, Items 3 and 4 contain a description of exemplary embodiments of 

20 the invention. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; and Exhibit F, 
Items 3 and 4 were created before June 26, 2003 and show a conception date of 
the invention prior to both the effective date of July 25, 2003 for Reference (a) 
and before the effective date of June 26, 2003 of Reference (b). 

25 Exhibit H, Item 2 also contains a description of exemplary embodiments of the 
invention, and was created before the effective date of July 25, 2003 for 
Reference (a). 

Exhibits A - M establish due diligence from conception prior to the prior art of 
30 reference to the filing of the patent application. 

6. The above-cited application was subsequently filed on 02 October 2003. 

9 



Application No. 10/678,910 



Attorney Docket No. AOL0091 



7. I hereby acknowledge that willful false statements and the like are punishable 
by fine or imprisonment, or both (18 U.S.C. 1001) and may jeopardize the validity 
of my application or any patent issuing thereon. All statements made of my own 
5 knowledge are true and ail statements made on information or beliefs are 
believed to be true. 



10 




Michael A. Glenn 




Attorney 
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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



5 In re Application of: Cahill et al. 



Docket No.: AOL0091 



Serial No.: 10/678.910 



Art Unit: 2131 



Filed: 02 October 2003 



Examiner: Chen, Shin Hon 
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Title: Identity Based Service System 
26 September 2006 

1 5 Assistant Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 



1. My name is Conor Cahill. 
25 2. I have reviewed the following documents cited by the Examiner: 

(a) Bhatnagar et al. (U. S. Pub. No. 20050021964 Al); and 

(b) Rozmus et al. (U.S. Pub. No. 20040267870). 

30 3. The earliest effective priority date of above-mentioned reference (a) is July 
25, 2003. The earliest effective priority date of above-mentioned reference (b) is 
June 26, 2003. The conception of the claimed subject matter of my invention 
occurred prior to the specified dates of said reference (a) and reference (b), and 
was coupled with due diligence from prior to said reference dates to the filing of 

35 the above mentioned application. In support of this, I have attached the 
following documents, Exhibits A-M below. Neither reference claims the same 
subject matter as that claimed in my parent application. 



Declaration of Prior Invention to Overcome 



20 



Cited Patent or Publication Pursuant to 37 CFR 1.131 
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Namely, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
above mentioned reference (a) and (b), establish conception and due diligence 
of Claim 1 because such exhibits show a system, comprising: 
5 at least one first entity comprising any of a user, a user agent and a 

principal; 

an authentication agency; 

means for sending a login request from the first entity to the authentication 
agency; 

10 means for receiving an assertion at the first entity from the authentication 

agency in response to the log in request; 

means for authenticating the first entity at a participant with the received 
assertion; 

means for sending a request for a service on behalf of the first entity frpm 
15 a second entity comprising any of the participant and a service consumer 
associated with the participant to any of the authentication agency and a 
discovery service associated with the authentication agency, using the assertion; 
and 

means for an sending an authorization from the authentication agency to 
20 the second entity for the requested service in response to the sent request if the 
principal is enabled for the requested service. 

Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating above 
nrientioned reference (a) and (b), also establish conception and due diligence of 
25 Claim 1 1 because exhibits show a system, comprising: 

an authentication agency for authenticating at least one first entity 
comprising any of a user, a user agent and a principal, and for sending 
assertions to the first entities; and 

at least one second entity comprising 
30 means for receiving the assertions from the first entities, 

means for authenticating the first entities at the second entity with 
the received assertions. 



2 



Application No. 10/678,910 



Attorney Docket No. AOL0091 



means for sending requests for service on befialf of the first entities 
to any of the authentication agency and a discovery service associated 
with the authentication agency, using the received authentication 
information from said first entities, 
5 means for receiving authorizations sent from the authentication 

agency in response to the sent requests if the first entities are enabled for 
the requested services; and 

means for invoicing the requested authorized services with the received 
authorizations. 

10 

Furthermore, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. 
predating above mentioned reference (a) and (b), also establish conception and 
due diligence of Claim 23, because exhibits show a system, comprising: 

sending a login request from a first entity to an authentication agency, the 
1 5 first entity comprising any of a user, a user agent and a principal; 

receiving an assertion at the first entity from the authentication agency in 
response to the log in request; 

authenticating at a participant through the first entity with the received 
assertion; 

20 sending a request for a service on behalf of the principal from a second 

entity comprising any of the participant and a service consumer associated with 
the participant to any of the authentication agency and a discovery service 
associated with the authentication agency, using the assertion; and 

sending an authorization from the authentication agency to the second 

25 entity for the requested service in response to the sent request if the first entity is 
enabled for the requested service. 

In addition. Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
above mentioned reference (a) and (b), also establish conception and due 
30 diligence of Claim 33, because exhibits show a process, comprising the steps of: 
providing an authentication agency networked to a service; 
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establishing an identity at the authentication agency for a first entity 
comprising any of a user, a user agent and a principal; 

sending authentication information from the authentication agency to the 
first entity; 

5 authenticating the first entity at a participant with the authentication 

information; 

sending a request for a service on behalf of the principal from a second 
entity comprising any of the participant and a service consumer associated with 
the participant to any of the authentication agency and a discovery service 
1 0 associated with the authentication agency; 

sending an authorization from the authentication agency to the second 
entity to access the service on behalf of the first entity if the first entity is enabled 
for the service by the authentication agency; and 

establishing a link between the second entity and the service, based upon 
15 the authorization. 

Support for Claims 1, 11. 23 and 33 is seen In Exhibit A, throughout the draft of 
the Summary, Specification and Claims of Exhibit A, Item 2, as seen at least on 
page 4, lines 8-14 (Summary); on page 5, line 30, to page 9, line 23; in Claims 1, 
20 11, 22 and 32; and in Figures 1-6, 9 and 11-16 of Exhibit A, Item 3, wherein a 
first entity comprises at least any of a user and a principal, and an identity 
provider 14 acts as an authentication agency. 

4. The Exhibits. 

25 

it should be appreciated that some of the documents listed hereinbelow show 
the date on which they were printed, wherein the date reflects the printed date 
and not the date of creation of the document. 

30 Exhibit A. 

May 14, 2003: 
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item 1) A copy of an email with Subject: Re: AOL0091 draft comments 
needed, whicli includes a request for identification of inventors to "get the 
drafts out for review". 

5 Attached to the email are documents, including a draft of the Specification 
with Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V1 4.15.03.doc; and 
1 0 Item 3) Application Drawings Draft Document, Dwgs 5.1 3.03.v1 .pdf . 

Exhibit B. 

May 15, 2003: 

15 Item 1) A copy of an email with Subject: Here you go!!!, which includes 
contact information for at least one inventor 

Exiiibit C. 

May 15, 2003: 

20 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which Includes coordination with identification of possible inventors. 

Exiiibit D. 

25 May 15, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes contact information for possible inventors. 



30 Exhibit E. 

May 22, 2003: 
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Item 1) A copy of an email dated May 22, 2003 with Subject: Re: AOL0091 draft 
comments needed, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

5 Attached to the email are documents, including a draft of the Specification with 

Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091 .App.VI 4. 1 5.03.doc; and 
1 0 Item 3) Application Drawings Draft Document, AOL0091 .Dwgs.vl .pdf . 
Exhibit F. 

May 22, 2003 and June 1 1 , 2003: 

1 5 Item 1) A copy of an email dated June 1 1 , 2003 with Subject: Re: AOL0091 draft 
review, 2nd request, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

Item 2) Attached to the email of Item 1 is the appended Email with Attached 
20 Documents of Exhibit E, comprising: 

Item 3) Application Draft Document, 'AOL0091. App.VI 4.15.03.doc; and 

Item 4) Application Drawings Draft Document, AOL0091 .Dwgs.vl .pdf. 

25 

Exhibit G. 

July 17, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
30 DueASAPI; 
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Email refers to review of Application draft, with comments provided by David Eli 
Wexelblat. 

Exhibit H. 
5 July 21, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
DueASAPI; 

10 Email refers to revjew of Application draft and comments provided by Norihiro 
Edwin Aoki. 

Attached to the email was the following document: 

15 Item 2) Application Draft Redline Document 'AOL0091.App.V1 4.15.03 EA. 

Exhibit I. 
July 23, 2003: 

20 Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
DueASAPI; 

Email refers to the forwarding of comments from Edwin Aoki and David 
Wexelblat for incorporation into Application, and submission of inventor 
25 information for formal documents. 

Exhibit J. 

July 23, 2003: 



30 Item 1) A copy of an email with Subject: Re: AOL0091 Signature Forms!; 
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Email refers to identification of Chris Toomey as an inventor, attached signature 
form, and an attached Application for review by Chris Toomey. 

Attached to the email are the following documents: 

5 

Item 2) Assignment.doc; and 
Item 3) Dec:POA.doc. 

10 Exhibit K. 

August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: AOL0091 
Second Patent Draft for Comments ASAP, 

15 

with a request for review by Conor Cahill, Edwin Aoki, David Wexelblat and 
Jeromy Carriere. 

Attached to the email are documents, including a draft of the Specification with 
20 Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V2.8.1 4.03.doc; and 

Item 3) Application Drawings Draft Document, AOL0091.Dwgs.v2.pdf. 

25 

Exhibit L. 

August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: Re: AOL0091 
30 Second Patent Draft for Comments ASAP; 
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Wherein Edwin Aoi^i notes that he forwarded the request (of Exhibit K) to Jim 
Roskind & Chris Toomey. 

Exhibit M. 

5 August 29, 2003: 

Item 1) A copy of an email with Subject: AOL0091 - Final Draft for Filing & 
Inventor Disclosure Form; 

10 Email refers to pending delivery of fonnal drawings, and documents attached to 
the email, including the Application and an Inventor Disclosure form. 

Also attached to the email is email confirmation for approval to file from Conor 
Cahill to Applicant's representative, Don Hendricks, from an email of 08/29/03 
1 5 with Subject: Re: AOL0091 Fourth Draft of Figures for Comments ASAP. 

5. I am one of the inventors that used each of the attached documents shown in 
Exhibits A, E, F, H, J, and K. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; 
and Exhibit F, Items 3 and 4 contain a description of exemplary embodiments of 

20 the invention. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; and Exhibit F, 
Items 3 and 4 were created before June 26, 2003 and show a conception date of 
the invention prior to both the effective date of July 25, 2003 for Reference (a) 
and before the effective date of June 26, 2003 of Reference (b). 

25 Exhibit H, Item 2 also contains a description of exemplary embodiments of the 
invention, and was created before the effective date of July 25, 2003 for 
Reference (a). 

Exhibits A - M establish due diligence from conception prior to the prior art of 
30 reference to the filing of the patent application. 

6. The above-cited application was subsequently filed on 02 October 2003. 
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7. I hereby acknowledge that willful false statements and the like are punishable 
by fine or imprisonment, or both (18 U.S.C. 1001) and may jeopardize the validity 
of my application or any patent issuing thereon. All statements made of my own 
5 knowledge are true and all statements made on information or beliefs are 
believed to be true. 




10 Conor Cahill Date 
Declarant 
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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

5 In re Application of : Cahill et al. Docket No.: AOL0091 

Serial No.: 10/678.910 Art Unit: 2131 

Filed: 02 October 2003 Examiner: Chen, Shin Hon 

10 

Title: Identity Based Service System 

26 September 2006 

1 5 Assistant Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Declaration of Prior Invention to Overcome 
20 Cited Patent or Publication Pursuant to 37 CFR 1.131 



1. My name is Norihiro Edwin Aoki. 
25 2. I have reviewed the following documents cited by the Examiner: 

(a) Bhatnagar et al. (U. S. Pub. No. 20050021964 Al); and 

(b) Rozmus et al. (U.S. Pub. No. 20040267870). 

30 3. The earliest effective priority date of above-mentioned reference (a) is July 25, 
2003. The earliest effective priority date of above-mentioned reference (b) is June 
26, 2003. The conception of the claimed subject matter of my invention occuired 
prior to the specified dates of said reference (a) and reference (b), and was coupled 
with due diligence from prior to said reference dates to the filing of the above 

35 mentioned application. In support of this, I have attached the following documents, 
Exhibits A-M below. Neither reference claims the same subject matter as that 
claimed in my parent application. 
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Namely, Exhibits A-IVl, spanning the date from (4/03) to (10/03), i.e. predating 
above mentioned reference (a) and (b), establish conception and due diligence of 
Claim 1 because such exhibits show a system, comprising: 

at least one first entity comprising any of a user, a user agent and a principal; 
5 an authentication agency; 

means for sending a login request from the first entity to the authentication 
agency; 

means for receiving an assertion at the first entity from the authentication 
agency in response to the log In request; 
10 means for authenticating the first entity at a participant with the received 

assertion; 

means for sending a request for a service on behalf of the first entity from a 
second entity comprising any of the participant and a service consumer associated 
with the participant to any of the authentication agency and a discovery service 
1 5 associated with the authentication agency, using the assertion; and 

means for an sending an autiiorization from the authentication agency to the 
second entity for the requested service In response to the sent request if the 
principal Is enabled for the requested service. 

20 Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating above 
mentioned reference (a) and (b), also establish conception and due diligence of 
Claim 1 1 because exhibits show a system, comprising: 

an authentication agency for authenticating at least one first entity comprising 
any of a user, a user agent and a principal, and for sending assertions to the first 
25 entities; and 

at least one second entity comprising 

means for receiving the assertions from the first entitles, 
means for authenticating the first entities at the second entity with tiie 
received assertions, 

30 means for sending requests for service on behalf of the first entities to 

any of the autiientication agency and a discovery service associated with the 
authentication agency, using tiie received authentication Information from said 

first entities, 

means for receiving authorizations sent from the authentication agency 
35 in response to the sent requests if the first entities are enabled for the 

requested services; and 
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means for invoking the requested authorized services with the received 
authorizations. 

Furthermore, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
5 above mentioned reference (a) and (b), also establish conception and due diligence 
of Claim 23, because exhibits show a system, comprising: 

sending a login request from a first entity to an authentication agency, the first 
entity comprising any of a user, a user agent and a principal; 

receiving an assertion at the first entity from the authentication agency in 
1 0 response to the log in request; 

authenticating at a participant through the first entity with the received assertion; 

sending a request for a service on behalf of the principal from a second entity 
comprising any of the participant and a service consumer associated with the 
participant to any of the authentication agency and a discovery service associated 
1 5 with the authentication agency, using the assertion; and 

sending an authorization from the authentication agency to the second entity 
for the requested service in response to the sent request if the first entity is enabled 
for the requested service. 

20 In addition, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
above mentioned reference (a) and (b), also establish conception and due diligence 
of Claim 33, because exhibits show a process, comprising the steps of: 
providing an authentication agency networked to a service; 
establishing an identity at the authentication agency for a first entity comprising 
25 any of a user, a user agent and a principal; 

sending authentication information from the authentication agency to the first 

entity; 

authenticating the first entity at a participant with the authentication information; 
sending a request for a service on behalf of the principal from a second entity 
30 comprising any of the participant and a service consumer associated with the 
participant to any of the authentication agency and a discovery service associated 
wrth tiie autiientication agency; 

sending an authorization from the authentication agency to tiie second entity to 
access the service on behalf of the first entity if the first entity Is enabled for tine 
35 service by the authentication agency; and 
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establishing a link between the second entity and the service, based upon 
the authorization. 

Support for Claims 1 , 1 1 , 23 and 33 is seen in Exhibit A, throughout the draft of the 
5 Summary, Specification and Claims of Exhibit A, Item 2, as seen at least on page 4, 
lines 8-14 (Summary); on page 5, line 30, to page 9, line 23; in Claims 1,11, 22 
and 32; and in Figures 1-6, 9 and 11-16 of Exhibit A, Item 3, wherein a first entity 
comprises at least any of a user and a principal, and an identity provider 14 acts as 
an authentication agency. 

10 

4. The Exhibits. 

It should be appreciated that some of the documents listed hereinbelow show the 
date on which they were printed, wherein the date reflects the printed date and not 
15 the date of creation of the document. 

Exhibit A. 
May 14, 2003: 

20 Item 1 ) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes a request for identification of inventors to "get the drafts out for 
review". 

Attached to the email are documents, including a draft of the Specification with 

25 Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091 .App.VI 4.15.03.doc; and 
Item 3) Application Drawings Draft Document, Dwgs 5.13.03.v1.pdf'. 

30 

Exhibit B. 
May 15, 2003: 

Item 1 ) A copy of an email with Subject: Here you go!!!, which includes contact 
35 information for at least one inventor 
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Exhibit C. 
May 15, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
5 which includes coordination with identification of possible inventors. 

Exhibit D. 
May 15, 2003: 

10 Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes contact information for possible inventors. 

Exhibit E. 

May 22, 2003: 

15 

Item 1) A copy of an email dated May 22, 2003 with Subject: Re: AOL0091 draft 
comments needed, which a request for review by Conor Cahill, Edwin Aoki, J. 
Garriere and David Wexelblat. 

20 Attached to the email are documents, including a draft of the Specification with Claims 

and Drawings: 

Item 2) Application Draft Document, 'AOL0091 .App.VI 4.15.03.doc; and 
25 Item 3) Application Drawings Draft Document, AOL0091 .Dwgs.vl .pdf '. 
Exhibit F. 

May 22, 2003 and June 1 1 . 2003: 

30 Item 1) A copy of an email dated June 1 1 , 2003 with Subject: Re: AOL0091 draft 
review, 2nd request, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

Item 2) Attached to the email of Item 1 is the appended Email with Attached 
35 Documents of Exhibit E, comprising: 
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Item 3) Application Draft Document, 'AOL0091 .App.VI 4.15.03.doc; and 

Item 4) Application Drawings Draft Document, AOL0091.Dwgs.v1.pdf'. 

5 Exhibit G. 
, July 17, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
Due ASAP!; 

10 

Email refers to review of Application draft, with comments provided by David Eli 
Wexelblat. 

Exhibit H. 

15 July 21, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
Due ASAP!; 

20 Email refers to review of Application draft and comments provided by Norihiro 

Edwin Aoki. 

Attached to the email was the following document: 

25 Item 2) Application Draft Redline Document 'AOL0091 .App.VI 4.15.03 EA'. 

Exhibit I. 
July 23, 2003: 

30 Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 

Due ASAPI; 

Email refers to the fonwarding of comments from Edwin Aoki and David Wexelblat 
for incorporation into Application, and submission of inventor information for formal 

35 documents. 
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Exhibit J. 
July 23, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 Signature Forms!; 

5 

Email refers to Identification of Chris Toomey as an inventor, atteiched signature form, 
and an attached Application for review by Chris Toomey. 

Attached to the email are the following documents: 

10 

Item 2) Assignmentdoc; and 

Item 3) Dec:POA.doc. 

15 Exhibit K. 

August 14, 2003: 

Item 1 ) A copy of an email dated August 14, 2003 with Subject: AOL0091 Second 
Patent Draft for Comments ASAP, 

20 

with a request for review by Conor Cahill, Edwin Aoki, David Wexelblat and 
Jeromy Carriere. 

Attached to the email are documents, including a draft of the Specification with Claims 

25 and Drawings: 

Item 2) Application Draft Document, 'AOL0091.App.V2.8.1 4.03.doc; and 
Item 3) Application Drawings Draft Document, AOL0091 .Dwgs. v2.pdf '. 

30 

Exhibit L. 
August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: Re: AOL0091 
35 Second Patent Draft for Comments ASAP; 
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Wherein Edwin Aoki notes that he forwarded the request (of Exhibit K) to Jim 
Roskind & Chris Toomey. 

Exhibit M. 

5 August 29, 2003: 

Item 1 ) A copy of an email with Subject: AOL0091 - Rnal Draft for Filing & Inventor 
Disclosure Form; 

10 Email refers to pending delivery of formal drawings, and documents attached to the 
email, including the Application and an Inventor Disclosure form. 

Also attached to the email is email confirmation for approval to file from Conor Cahill 
to Applicant's representative, Don Hendricks, from an email of 08/29/03 with 
1 5 Subject: Re: AOL0091 Fourth Draft of Figures for Comments ASAP. 

5. I am one of the inventors that used each of the attached documents shown in 
Exhibits A, E, F, H, J, and K. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; 
and Exhibit F, Items 3 and 4 contain a description of exemplary embodiments of the 

20 invention. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; and Exhibit F, Items 3 
and 4 were created before June 26, 2003 and show a conception date of the 
invention prior to both the effective date of July 25, 2003 for Reference (a) and 
before the effective date of June 26, 2003 of Reference (b). 

25 Exhibit H, Item 2 also contains a description of exemplary embodiments of the 
invention, and was created before the effective date of July 25, 2003 for Reference 
(a). 

Exhibits A - M establish due diligence from conception prior to the prior art of 
30 reference to the filing of the patent application. 

6. The above-cited application was subsequently filed on 02 October 2003. 

7. I hereby acknowledge that willful false statements and the like are punishable by 
35 fine or imprisonment, or both (18 U.S.C. 1001) and may jeopardize the validity of 

my application or any patent issuing thereon. All statements made of my own 
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knowledge are true and all statements made on information or beliefs are believed 
to be true. 



Norihiro Edwin Aoki 
Declarant 
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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



5 In re Application of: Cahill et al. 
Serial No.: 10/678,910 
Filed: 02 October 2003 

10 

Title: Identity Based Service System 

26 September 2006 

15 Assistant Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Declaration of Prior Invention to Overcome 
20 Cited Patent or Publication Pursuant to 37 CFR 1.131 



1. My name is David Eli Wexelblat. 
25 2. I have reviewed the following documents cited by the Examiner: 

(a) Bhatnagar et al. (U. S. Pub. No. 20050021964 Al); and 

(b) Rozmus et al. (U.S. Pub. No. 20040267870). 

30 3. The earliest effective priority date of above-mentioned reference (a) is July 
25, 2003. The earliest effective priority date of above-mentioned reference (b) is 
June 26, 2003. The conception of the claimed subject matter of my invention 
occurred prior to the specified dates of said reference (a) and reference (b), and 
was coupled with due diligence from prior to said reference dates to the filing of 

35 the above mentioned application. In support of this, I have attached the 
following documents. Exhibits A-M below. Neither reference claims the same 
subject matter as that claimed in my parent application. 



Docket No.: AOL0091 
Art Unit: 2131 
Examiner: Chen, Shin Hon 
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Namely, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
above mentioned reference (a) and (b), establish conception and due diligence 
of Claim 1 because such exhibits show a system, comprising: 
5 at least one first entity comprising any of a user, a user agent and a 

principal; 

an authentication agency; 

means for sending a login request from the first entity to the authentication 
agency; 

10 means for receiving an assertion at the first entity from the authentication 

agency in response to the log in request; 

means for authenticating the first entity at a participant with the received 
assertion; 

means for sending a request for a service on behalf of the first entity from 
15 a second entity comprising any of the participant and a service consumer 
associated with the participant to any of the authentication agency and a 
discovery service associated with the authentication agency, using the assertion; 
and 

means for an sending an authorization from the authentication agency to 
20 the second entity for the requested service in response to the sent request if the 
principal is enabled for the requested service. 

Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating above 
mentioned reference (a) and (b), also establish conception and due diligence of 
25 Claim 1 1 because exhibits show a system, comprising: 

an authentication agency for authenticating at least one first entity 
comprising any of a user, a user agent and a principal, and for sending 
assertions to the first entities; and 

at least one second entity comprising 
30 means for receiving the assertions from the first entities, 

means for authenticating the first entities at the second entity with 
the received assertions. 
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means for sending requests for service on behalf of the first entities 
to any of the authentication agency and a discovery service associated 
with the authentication agency, using the received authentication 
information from said first entities, 
5 means for receiving authorizations sent from the authentication 

agency in response to the sent requests if the first entities are enabled for 
the requested services; and 

means for invoking the requested authorized services with the received 
authorizations. 

10 

Furthermore, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. 
predating above mentioned reference (a) and (b), also establish conception and 
due diligence of Claim 23, because exhibits show a system, comprising: 

sending a login request from a first entity to an authentication agency, the 
1 5 first entity comprising any of a user, a user agent and a principal; 

receiving an assertion at the first entity from the authentication agency in 
response to the log In request; 

authenticating at a participant through the first entity with the received 
assertion; 

20 sending a request for a service on behalf of the principal from a second 

entity comprising any of the participant and a service consumer associated with 
the participant to any of the authentication agency and a discovery service 
associated with the authentication agency, using the assertion; and 

sending an authorization from the authentication agency to the second 

25 entity for the requested service in response to the sent request if the first entity is 
enabled for the requested service. 

In addition, Exhibits A-M, spanning the date from (4/03) to (10/03), i.e. predating 
above mentioned reference (a) and (b), also establish conception and due 
30 diligence of Claim 33, because exhibits show a process, comprising the steps of: 
providing an authentication agency networked to a service; 
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establishing an identity at the authentication agency for a first entity 
comprising any of a user, a user agent and a principal; 

sending authentication information from the authentication agency to the 
first entity; 

5 authenticating the first entity at a participant with the authentication 

information; 

sending a request for a service on behalf of the principal from a second 
entity comprising any of the participant and a service consumer associated with 
the participant to any of the authentication agency and a discovery service 
10 associated with the authentication agency; 

sending an authorization from the authentication agency to the second 
entity to access the service on behalf of the first entity if the first entity is enabled 
for the service by the authentication agency; and 

establishing a link between the second entity and the service, based upon 
15 the authorization. 

Support for Claims 1, 11, 23 and 33 is seen in Exhibit A, throughout the draft of 
the Summary, Specification and Claims of Exhibit A, Item 2, as seen at least on 
page 4, lines 8-14 (Summary); on page 5, line 30, to page 9, line 23; in Claims 1, 
20 11, 22 and 32; and in Figures 1-6, 9 and 11-16 of Exhibit A, Item 3, wherein a 
first entity comprises at least any of a user and a principal, and an identity 
provider 14 acts as an authentication agency. 

4. The Exhibits. 

25 

It should be appreciated that some of the documents listed hereinbelow show 
the date on which they were printed, wherein the date reflects the printed date 
and not the date of creation pf the document. 

30 Exhibit A. 

May 14. 2003: 
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Item 1) A copy of an email with Subject: Re: AOL0091 draft comments 
needed, which includes a request for identification of inventors to "get the 
drafts out for review". 

5 Attached to the email are documents, including a draft of the Specification 
with Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091 .App.VI 4.15.03.doc; and 
1 0 Item 3) Application Drawings Draft Document, Dwgs 5.1 3.03.v1 .pdf . 

Exhibit B. 

May 15, 2003: 

15 Item 1) A copy of an email with Subject: Here you golll, which includes 
contact information for at least one inventor 

Exhibit C. 

May 15. 2003: 

20 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes coordination with identification of possible inventors. 

Exhibit D. 

25 May 15,2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 draft comments needed, 
which includes contact information for possible inventors. 

30 Exhibit E. 

May 22, 2003: 
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Item 1) A copy of an email dated May 22, 2003 with Subject: Re: AOL0091 draft 
comments needed, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

5 Attached to the email are documents, including a draft of the Specification with 
Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091 .App.VI 4.15.03.doc; and 
1 0 Item 3) Application Drawings Draft Document, AOL0091 .Dwgs.vl .pdf . 
Exhibit F. 

May 22, 2003 and June 1 1 , 2003: 

15 Item 1) A copy of an email dated June 1 1 , 2003 with Subject: Re: AOL0091 draft 
review, 2nd request, which a request for review by Conor Cahill, Edwin Aoki, J. 
Carriere and David Wexelblat. 

Item 2) Attached to the email of Item 1 is the appended Email with Attached 
20 Documents of Exhibit E, comprising: 

Item 3) Application Draft Document, 'AOL0091. App.VI 4.15.03.doc; and 

Item 4) Application Drawings Draft Document, AOL0091.Dwgs.v1.pdf. 
25 . 
Exhibit G. 
July 17, 2003: 

Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
30 Due ASAP!; 
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Email refers to review of Application draft, with comments provided by David Eli 
Wexelblat. 

Exhibit H. 

5 July 21, 2003: 

item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft '^Comments 
Due ASAP!; 

10 Email refers to review of Application draft and comments provided by Norihiro 
Edwin Aoki. 

Attached to the email was the following document: 
1 5 Item 2) Application Draft Redline Document 'AOL0091 .App.VI 4.1 5.03 EA'. 

Exhibit I 

July 23, 2003: 

20 Item 1) A copy of an email with Subject: Re: AOL0091 Patent Draft *Comments 
Due ASAP!; 

. Email refers to the forwarding of comments from Edwin Aoki and David 
Wexelblat for incorporation into Application, and submission of inventor 
25 information for formal documents. 

Exhibit J. 

July 23, 2003: 

30 Item 1 ) A copy of an email with Subject: Re: AOL0091 Signature Forms!; 
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Email refers to identification of Chris Toomey as an inventor, attached signature 
form, and an attached Application for review by Chris Toomey. 

Attached to the email are the following documents: 

5 

Item 2) Assignment.doc; and 
Item 3) Dec:POA.doc. 

10 Exhibit K. 

August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: AOL0091 
Second Patent Draft for Comments ASAP, 

16 

with a request for review by Conor Cahill, Edwin Aoki, David Wexelblat and 
Jeromy Carriere. 

Attached to the email are documents, including a draft of the Specification with 
20 Claims and Drawings: 

Item 2) Application Draft Document, 'AOL0091 .App.V2.8.14.03.doc; and 

Item 3) Application Drawings Draft Document, AOL0091.Dwgs.v2.pdf. 

25 

Exhibit L. 

August 14, 2003: 

Item 1) A copy of an email dated August 14, 2003 with Subject: Re: AOL0091 
30 Second Patent Draft for Comments ASAP; 
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Wherein Edwin Aok\ notes that he forwarded the request (of Exhibit K) to Jim 
Roskind & Chris Toomey. 

Exhibit M. 

5 August 29, 2003: 

Item 1) A copy of an email with Subject: AOL0091 - Final Draft for Filing & 
Inventor Disclosure Form; 

10 Email refers to pending delivery of formal drawings, and documents attached to 
the email, including the Application and an Inventor Disclosure form. 

Also attached to the email is email confirmation for approval to file from Conor 
Cahill to Applicant's representative, Don Hendricks, from an email of 08/29/03 
1 5 with Subject: Re: AOL0091 Fourth Draft of Figures for Comments ASAP. 

5. I am one of the inventors that used each of the attached documents shown in 
Exhibits A, E, F, H, J, and K. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; 
and Exhibit F, Items 3 and 4 contain a description of exemplary embodiments of 

20 the invention. Exhibit A, Items 2 and 3; Exhibit E, Items 2 and 3; and Exhibit F, 
Items 3 and 4 were created before June 26, 2003 and show a conception date of 
the invention prior to both the effective date of July 25, 2003 for Reference (a) 
and before the effective date of June 26, 2003 of Reference (b). 

25 Exhibit H, Item 2 also contains a description of exemplary embodiments of the 
invention, and was created before the effective date of July 25, 2003 for 
Reference (a). 

Exhibits A - M establish due diligence from conception prior to the prior art of 
30 reference to the filing of the patent application. 

6. The above-cited application was subsequently filed on 02 October 2003. 
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Exhibits A - M establish due diligence from conception prior to the prior art of 
reference to the filing of the patent application. 

6. The above-cited application was subsequently filed on 02 October 2003. 



7. I hereby acknowledge that willful false statements and the like are punishable 
by fine or imprisonment, or both (18 U.S.C. 1001) and may jeopardize the 
validity of my application or any patent issuing thereon. All statements made of 
my own knowledge are true and all statements made on information or beliefs 
10 are believed to be true. 



5 





David Eli Wexeibiat 



Date 



15 Declarant 
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EXHIBIT A 



Attached is the draft patent application and draft drawings for AOL0091 "IDENTITY 
BASED SERVICE SYSTEM". At this tijne you are the only inventor we aware of. I need 
to know if Andy Feng, Aleksey Sanin, Chris Toon\ey and Rob Weltman are also 
inventors. Any one else? 

Please let me know asap so I can get the drafts out for review. 



Patent Administrator 

Glenn Patent Group 
3475 Edison Way, Suite L 
Menlo Park, CA 94025 
650-474-8400 (Tel) 
650-474-8401 (Fax) 

This message is intended only for the individual to vtum it is addressed and may 
contain information that is confidential, privileged, or otherwise exempt from 
disclosure under applicable law. If you are not the individual to whcni this message 
is addressed, you are advised that any use, copying, or disclosure of this message 
or the contents thereof is without pecmission and contrary to lew. If you receive 
this message in error, please call 650-474-8400. 



Microsoft Word Document (application/iiiswoid) 





Name: Dwgs 5.13.03.vl.pdf 


[l[13wpsS.13.03.vl.|idf 


Types Fknlable Document Fbmiat (appUcatian/pdQ 


EncmUng: base64 




Descriptions Unlcnown Document 
Download Status: Not downloaded widi message 
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IDENTITY BASED SERVICE SYSTEM 



FIELD OF THE INVENTION 

5 

The invention relates to tlie field of network based services and structures. More 
particularly, the invention relates to identity creation, management, authentication, and 
authorization structures for enhanced network services. 

10 BACKGROUND OF THE INVENTION 

At the present time, the identity of an individual or user in a network environment, such 
as the Internet, is comprised of a large number of pieces of information, which is 
collected and recollected by a large number of entities. Some basic information 

15 regarding an individual, such as but not limited to name information, address 
Information, identification information, financial information, profile information, and or 
preference information, is repeatedly collected and stored at a large number of system 
entities. Additional information, such as a user name and password, is created, as 
necessary, such that the individual or user can sign on and/or gain access to a service 

20 provider. 

A large number of pieces of an individual's business and personal identity are therefore 
scattered across an increasing number of system entities, such as but not limited to 
commercial entities, banking and investment institutions, credit card companies, service 
25 providers, and/or educational institutions. 

Individuals are therefore required to repeatedly enter much of the same information, in 
the process of numerous professional and/or personal endeavors. Furthermore, as the 
information for an individual changes, the stored information becomes increasingly 
30 Impractical to manage and/or update. In addition, the numerous user names and 
passwords associated with an individual quickly becomes unwieldy, such that users 
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often forget or lose track of the information tliey need to access services and/or 
accounts. 

Several structures and methods have been described for identity and proxy-based 
5 networks, such as: 

E. Gabber, P. Gibbons, Y. Matlas, and A. Mayer, System and Method for Providing 
Anonymous Personalized Browsing by a Proxy System In a Network, U.S. Pat. No. 
5,961,593, 05 October 1999, describes a system "For use with a network having server 

10 sites capable of being browsed by users based on identifiers received into the server 
sites and personal to the users, alternative proxy systems for providing substitute 
identifiers to the server sites that allow the users to browse the server sites 
anonymously via the proxy system. A central proxy system includes computer- 
executable routines that process site-specific substitute identifiers constructed from 

15 data specific to the users, that transmits the substitute identifiers to the server sites, that 
retransmits browsing commands received from the users to the server sites, and that 
removes portions of the browsing commands that would identify the users to the server 
. sites. The foregoing functionality is performed consistently by the central proxy system 
during subsequent visits to a given server site as the same site specific substitute 

20 identifiers are reused. Consistent use of the site specific substitute identifiers enables 
the server site to recognize a returning user and, possibly, provide personalized 
service"; 

Proxy-Based Security Protocols in Networked Mobile Devices; M. Burnside, D. Clarke, 
25 T. Mills, S. Devadas, and R. Rivest; MIT Laboratory for Computer Science; 
event,declarke,mills,devada,rivest@mit.edu; 

SPKI/SDSI http Server / Certificate Chain Discovery In SPKI/SDDI; D. Clarke; MIT 
Laboratory for Electrical Engineering and Computer Science, September 2001; 

30 
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Grid Information Services for Distributed Resource Sliaring; K Czajkowski, S. 
Fitzgerald, I. Foster, C. Kesselman; Proc. 10**^ IEEE Symposium on High-Performance 
Distributed Computing, 2001; 

5 Certificate Discovery Using SPKi/SDSI 2,0 Certificates; J. Elien; iVIlT Department of 
Electrical Engineering and Computer Science; IVlay 1998; and 

Local Names In SPKI/SDSI; N. Li; NYU Department of Computer Science; Proceedings 
of the 13**^ IEEE Computer Security Foundations Workshop. 

10 

Other systems provide various details of the operation of network identity and proxy 
systems, such as U.S. Patent No. 6,460,036, System and Method for Providing 
Customized Electronic Newspapers and Target Advertisements; U.S. Patent No. 
6,029,195, System for Customized Electronic Identification of Desirable Objects; U.S. 

15 Patent No. 5,835,087, System for Generation of Object Profiles for a System for 
Customized Electronic Identification of Desirable Objects; U.S. Patent No. 5,754,939, 
System for Generation of User Profiles for a System for Customized Electronic 
Identification of Desirable Objects; U.S. Patent No. 5,754,938, Pseudonymous Server 
for System for Customized Electronic Identification of Desirable Objects; U.S. Patent 

20 No. 6,490,620, Integrated Proxy Interface for Web Based Alanv Management Tools; 
U.S. Patent No. 6,480,885, Dynamically Matching Users for Group Communications 
Based on a Threshold Degree of Matching of Sender and Recipient Predetermined 
Acceptance Criteria; U.S. Patent No. 6,473,407, Integrated Proxy Interface for Web 
Based Alarm management Tools; U.S. Patent No. 6,421,733, System for Dynamically 

25 Transcoding Data Transmitted Between Computers; U.S. Patent No. 6,385,652, 
Customer Access Solutions Architecture; U.S. Patent No. 6,373,817, Chase Me 
System; U.S. Patent No. 6,338,064, Method for Enabling a Web Server Running a 
"Closed" Native Operating System to Impersonate a User of a Web Client to Obtain a 
Protected File; U.S. Patent No. 6,259,782, One-Number Communications System and 

30 Service Integrating Wireline/Wireless Telephone Communications Systems; U.S. Patent 
No. 5,974,566, Method and Apparatus for Providing Persistent Fault-Tolerant Proxy 
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Login to a Web-Based Distributed File Service; European Pat. No. EP 1094404, 
Collaborator Discovery Method and System; European Pat. No. EP 1031206, Identity 
Discovery method for Detecting Authorized Security Service Which is illicitly 
Transferring Decoding Capabilities for use in Unauthorized Security Devices; The 
5 Session Initiation Protocol: Internet-Centric Signaling; H. Schulzrinne, J. Rosenberg; 
IEEE Communications Magazine; October 2000; How Bluetooth Embeds in the 
Environment; Lawday, G.; Electronic Product Design; Nov. 2001; and Business: 
Designing with Users in Intemet Time; J. Braitennan, S. Veriiage, and R. Choo; 
Interactions: Sept.-Oct. 2000, 

10 

It would be advantageous to provide an identity based service system, which does not 
require a user to create a user identity for each service provider. The development of 
such an identity based service system would constitute a major technological advance. 

15 Furthermore, it would be advantageous to provide a identity based service system, 
which allows a user to create a an Identity which can be controllably accessed and 
shared by a plurality of service providers. The development of such an identity based 
service system would constitute a further technological advance. 

20 As well, it would be advantageous that such an identity based service system be 
integrated with existing site authentication and authorization structures, such that the 
identity based service system Is readily used by a wide variety of sites. The 
development of such an identity based service systehi would constitute a further major 
technological advance. 

25 . 

SUMMARY OF THE INVENTION 

An identity based service system is provided, in which an identity is created and 
managed for a user or principal, such that at least a portion of the identity is available to 
30 use between one or more system entities. A discovery service enables a system entity 
to discover a service descriptor, given a service name and a name identifier of the user. 



4 



Attorney Docket No. AOL0091 



whereby system entities can find and involve the user's other personal web services. 
The discovery service preferably provides a translation between a plurality of 
namespaces, to prevent linltable identity information over time between system entities. 

5 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a basic functional block diagram for an identity based service system, in 
which a service provider accesses services for a principal; 

10 Figure 2 is a flow diagram for the access of service within an identity based service 
system; 

Figure 3 is a functional block diagram of an identity based service system, comprising a 
discovery service associated with an identity provider, a web service provider, and a 
15 web service consumer; 

Figure 4 Is a flow diagram for the access of service within an identity based service 
system comprising a discovery service associated with an Identity provider, a web 
service provider, and a web service consumer; 

20 

Figure 5 Is a functional block diagram of an identity based servjce system, in which a 
discovery service issues service assertions that are used to Invoke services; 

Figure 6 Is a flow diagram for the access of service in the identity based service system 
25 shown In Figure 5; 

Figure 7 is a functional block diagram of profile service principal core information; 

Figure 8 is a functional block diagram of a profile data entry; 

30 
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Figure 9 is a schematic view of an identity based service system configured on a virtual 
network; 

Figure 10 is a functional block diagram of a core authentication record; 

5 

Figure 1 1 is a functional block diagram of multiple core authentication records which are 
maintained on behalf of a plurality of identities for a user; 

Figure 12 is a functional block diagram of multiple core authentication, records 
10 maintained on behalf of a user, based upon system access through different devices; 

Figure 13 is a schematic view of namespace translation within the identity based 
service system; 

15 Figure 14 is a first schematic view of operation for an identity based service system, in 
which user logs onto a first service provider site; 

Figure 15 is a second view of operation for an identity based service system, wherein a 
users may select system site links and/or system service links; and 

20 

Figure 16 is a third view of operation for an identity based service system, in which a 
system identity is established at an identity provider. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

25 

Figure 1 is a basic functional block diagram for an identity based service system 10a, in 
which a service provider 16 accesses services for a principal 12. Figure 2 is a flow 
diagram 30 for the access of service within an identity based service system 10. In 
Figure 1, the system entities 27 comprise an identity provider 14, a service provider 16, 
30 and a principal 12. The system entities 27 assume roles within the identity based 
service system 10. 
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A principal 12, such as a user or user agent, is an entity 27 that can acquire a system 
identity 29, and be authenticated and vouched for 19 by an identity provider 14. A 
principal 12 often comprises a user, using a user agent, either a web browser or a 
5 smart web services client. 

An identity provider (IDP) 14 authenticates and vouches for principals 12, and provides 
system management for system identities 29. A service provider (SP) 16 provides 
service to one or more requestors, such as principals 12, typically through a web 
10 consumer 48 (Fig. 3), upon proof of authentication 19 by the Identity provider 14. 

The identity based service system 10a shown in Figure 1 provides a web services- 
based service infrastructure that enables users U to manage the sharing of their 
personal information across an identity provider 14 and service providers 16. In some 
15 system embodiments 10, the system 10 also provides personalized services 116 (FIG. 
9) for users U (FIG. 11). 

For example, a user U, through a principal 12, is able to authorize a service provider 16 
to access his or her contact data 94a (FIG. 7), such as shipping address data 96 (FIG. 

20 7), while processing a transaction. Principals 12 are able to use sophisticated clients 
that support web services. In addition to traditional browser-oriented user agents. In 
some system embodiments, web services are defined as simple object access protocol 
binding (SOAP) over http calls, comprising header blocks and processing rules, which 
enable the system to invocation identity services 116, through SOAP requests and 

25 responses. 

The identity based system framework 10 enables service providers 16 and other 
system entities 27 to craft and offer sophisticated services, including multi-provider- 
based services 116 (FIG. 9). 
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Figure 3 is a functional blocl( diagram 40 of an identity based service system 10b, which 
further comprises a discovery service 42 associated with the identity provider 14, a web 
service provider 42, and a web service consumer 48. Figure 4 is a flow diagram 60 for 
the access of service within an identity based service system 1 0b. 

5 

A web service provider (WSP) 54 hosts personal web services 116 (FIG. 9), such as a 
profile service 116b (FIG, 9), while a web service consumer (WSC) 48 invoi<es web 
services 116 at web service providers WSP 54. With appropriate identification and 
authorization, a web service consumer 48 is able to access the user's personal web 
10 services 116, by communicating with the web service provider endpoint 54. 

As seen in Figure 3, the identity provider IDP 14 provides authentication 19 to the 
principal 12, based upon a successful log in 18. The principal 12 then interacts with the 
service provider 16, and relays the authentication Information 19, comprising an IDP 
15 assertion 45 and a discovery service descriptor 26. 

The service provider SP 16, acting as a web service consumer 48, uses the discovery 
service 42, to determine whether the principal 14 is enabled for a particular service 116, 
and to obtain the necessary assertions which authorize use of the service 116. The 
20 policy framework addresses whether the principal 12 is enabled for some particular 
service, and if so, what fine-grained methods are allowed, and what data is to be 
returned. Web service security is typically applied to all messages flowing between 
system entities 27. 

25 As seen in Figure 3, the identity based service system 10b comprises a web-service 
infrastructure, which comprises the discovery service 42, service invocation 52, a 
permission and authorization framework, a change management framework, as well as 
a mobile infrastructure. 
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In some system embodiments 10, web service consumers 48 are liosted on a server at 
a service provider 54. In alternate system embodiments 10, web service consumers 48 
are hosted on a user device 192 (FIG. 14). 

5 A discovery device (DS) 44 is typically hosted by an identity provider (IDP) 14, and 
enables web service consumers 48 to discover service endpoint information 96 (FIG. 7) 
associated with the personal web services 1 16 of a user U, 

Architectural Components. The identity based service system 10 comprises the 
10 following architectural components: 

Services. A service is a grouping of common functionality. For example, a core 
profile service 116b (FIG. 9) handles all interaction to do with user profile 
information 96. Services typically offer one or more methods callers use to 
15 manipulate the information managed by the service, and are typically scoped in 

the context of a particular principal 12, e.g. GetProfile (Principal) accesses the 
principal's entire set of profile data. 

Services may be either RPC-style or one-way exchanges. In RPC-based 
20 exchanges, the Web Services Consumer 48 is the requestor 50, and the Web 

Services Provider 54 is the responder 51 . 

Schemas. Schemas describe the syntax and relationships of data. Each 
service element 116 comprises an associated schema for the data that is 
25 relevant to the service element 116. For example, the profile service 116b 

comprises schema elements 96 which are relevant to a profile 94, such as but 
not limited to a name, an address, and a phone number for a user U. 

System Entity Roles. System Entities may assume one or more roles. 

30 
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As seen in Figure 3, service descriptors 26 are used to locate a system service 54, 
while service assertions 28 are used as credentials, to access the system service 54. A 
service descriptor 26 typically describes a SOAP endpoint for an identity based system 
service 54. A service assertion 28 is an assertion used as a credential to access an 
5 identity based system service 54. 

Discovery Service Overview. In the identity based service system 10, the personal 
web services 116 for a user U are preferably distributed across multiple web service 
providers 54. Therefore, web service consumers 48 comprise a means for discovering 
10 service locations 54. The discovery device 42 is a personal web service which enables 
system entities 27 to discover a service descriptor 26, given a service name and a 
user's name identifier 174 (FIG. 13), whereby a web service consumer 48 is able to find 
and invoke the web services 54 of a user U. 

15 Figure 5 is a functional block diagram 70 of an identity based service system 10, in 
which a discovery service 42 Issues service assertions 28 that are used to invoke 
services 54. Figure 6 is a flow diagram 80 for the access of service 54. 

Because of the pseudonymous identity of users in the identity based service system 10, 
20 web service consumers 48 and web service providers 54 do not have a common name 
for a user U. The Identity provider 14 of a user U Is the system entity 27 that maps 
between the disparate namespaces 176,182 (FIG. 13). As seen in Figure 13, the 
discovery service 42, which is hosted by the identity provider 14, provides this 
namespace translation. 

25 

The web service consumer 48 prompts the name translation service, by sending the 
user's name 174a in the WSC-IDP namespace 176, to the identity provider 14. The 
identity provider 14 hands back a user name 174b in the WSP-IDP namespace 182, 
within a format that the web service consumer 48 is blinded to this name, via encryption 
30 184. The encrypted value 184 of the name 174b is preferably different each time the 
name 174a,174b is used, such that there is no linkable identity information over time 
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between the web service consumer 48 and the web service provider 54. This name 
translation assertion 28 is also preferably time-bound, to prevent long-term use of a 
translated name 174b, and to prevent linl<ing of the actions of a principal 12. 

5 In the identity based service system 10, the user's identity provider 14 always hosts the 
discovery service 42, since the discovery service 54 must be aware of the pair-wise 
identifier relationships 1 74a, 1 74b between parties 27. 

In response to a discovery request, the service 54 returns 52 a service descriptor 26 
10 that points to a particular web service provider 54. Additionally, a translated name 174b 
and relevant security tol<ens 186 (FIG. 13) are typically included as well. Some 
discovery services 54 enforce user presence requirements on web service consumers 
48, and/or enforce one or more authorization rules on each web service cpnsumer 48. 

15 The discovery service 54 also provides an administrative interface, whereby a set of 
services 116 for a user can be configured. Services may be registered and 
unregistered. (***Please clarily these features as needed*"**) 

Profile Service. Figure 7 is a functional block diagram 90 of profile service 116b (FIG. 
20 9) principal core information 92. A profile service 90 manages the core personal 
information 92 for a principal 12. The core personal iriformation 92 typically comprises 
a plurality of data types 94a-94n, such as contact data 94a, demographic data 94b, 
and/or core preferences 94n. 

25 A profile service 116 (FIG. 9) allows principals 12 to create a profile 92, to update 
profile data 94a-g4n, and to specify privacy controls 98. Once a user creates a profile 
92, the profile 92 can be used at any of the system web service consumer 48 sites, 
such that principals 12 are not required to re-enter data, such as on a registration form. 

30 Figure 8 is a functional block diagram of a profile data entry. Each profile data entry 96 
is typically associated with a collection of metadata 107, such as data categories 102, 
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change timestamp information 104, data validation information 106, and/or creator 
information 108. 

Data category information 102 allows information to be classified as applicable, such as 
5 to define a home or business profile. For example, an address can be classified as a 
home and/or a business address. Data categories 102 are typically defined by web 
service providers 54, by web service consumers 48, and/or by principals 12. 

Change timestamps information 104 typically comprises a number 105, e.g. 105a, 
10 which represents the latest modification time of a particular node and associated 
descendants. 

Data validation information 106 comprises an indication of whether the data content 94 
has been validated or not. If the data content 94 is validated, the information may 
15 preferably comprise what type of validation was performed, and when the validation 
was performed. A web service consumer 48 typically uses metadata 1 07. 

Figure 9 is a schematic view 110 of an identity based service system 10 configured on 
a virtual network 112. The virtual network 112, provides a single set 114 of services 

20 116a-116n, which are provided by one or more contributors 118a-118j. The virtual 
network 112 formed within the identity based service system 10 provides one or more 
core services 116, such as an authentication service 116a, a profile service 116b, an 
alert service 116c, and/or a wallet service 116n. The identity based service system 10 
also supports other value-added services 116 for a user, such as a calendar service 

25 and/or an address book service. The identity based service system 10 provides access 
for a wide variety of web consumer sites 120a-120k, such as large and small business 
sites 120a, 120k. 

As seen in Figure 9, service consumers 48 comprise sites which use services 116 from 
30 the network 112. As seen through a site 120, the services 116 presented by the virtual 
network 112 preferably look like a single set 114 of services 116, i.e. from a single 
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provider 1 1 8 of services, even tliough the services are typically provided by any number 
of contributors 1 1 8a-1 1 8j. 

The core service provider 118b shown In Figure 9 provides all of the core services 
5 116a-116n on the virtual network 112. While some basic services, such as a profile 
service, are currently available through some Internet providers, such services are 
separate and distinct. In the identity based service system 10, the various services 
1 1 6a-1 1 6n are aware of each other and of the virtual network 112 

10 As seen in Figure 9, the identity based service system 10 preferably comprises a 
plurality of service contributors. I.e. vendors 118a-118j. While different 118 vendors 
typically contribute different sets of varying services 116, the source of a service 116 is 
typically transparent to users U as they interact with the recipient sites 120. 

15 Levels of Trust and Integration. The ideritity based service system 10 preferably 
provides varying levels of trust and integration. For example, as seen in Figure 9, a 
small retail site 120k typically comprises a low level of trust, such that a user U is 
typically asked to confirm transactions, through redirect exchanges with the system 10. 

20 A larger site 120, such as a large retail site 120a or an auction site 120b, which is 
integrated with the network 112 and is able to perform tasks on behalf of the user U, 
e.g. get money from a wallet 1 16n, typically has a higher level of trust with the system 
10. 

25 Core service providers 118, such as providers 1 18a-1 18j of core services 116, typically 
have a high level of trust with the system 10, and are able to perform system functions 
on behalf of a user U. In addition, core service providers 118 which provide 
authentication 116a have the highest level of service requirements, and inherently 
require the highest level of trust within the system 1 0. 

30 
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Service Invocation. In order to enable interactions between multiple endpoints within 
a circle of trust, the discovery service 54 issues service assertions 28 (FIG. 3, FIG. 5) 
that can be used by service consumers 48, such as to access other service providers 
54. 

In some embodiments of the identity based service system 10, messages can be 
routed and be transported through multiple hops. Additionally, message-level 
confidentiality is employed for sensitive data in multi-hop cases where confidentiality is 
required. 

JO 

The target service provider 54 does not simply consume the service assertion 28. 
Relevant policy is enforced to ensure that the service invocation is in line with the 
principal's policies. 

15 Authentication. Most system services require requester authentication. Additionally, 
the response is authenticated. For example, a user authentication comprises a 
determination of the Identity 29 of a user U. Online authentication can take many forms, 
such as a stored browser cookie, a user name/password combination, or stronger 
technologies such as smart cards or biometric devices. 

20 

In the Identity based service system 10, the user's identity 29 is authenticated, In 
accordance with privacy and security policies . The evidence of authentication for a 
user U comprises the user identity 29, in addition to guarantees of authentication. The 
evidence of authentication for a user U refers to stored and/or passed data that 
25 indicates that a user is authenticated, and which can be interrogated to verify the 
authentication. 

As an example, web sites often user a stored cookie to provide personalization 

information about their site for the user. However, for e-commerce transactions, that 
30 same web site will often require a user ID and password. Both are authentications, but 
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the ID/password is stronger than the stored cookie. This allows the site to balance user 
convenience with its security policies, as needed. 

System Authorization. While user authentication determines the identity 29 of the 
5 user U, authorization is the process of deternnining what an authenticated user U is 
allowed to do, and the determination any services and/or entities 27 which are allowed 
to act on behalf of the user U. 

For example, a web site that provides access to bank account information may be 
10 configured to allow the primary account holder to transfer funds to/from the account, but 
allow all members of the family to view the current account balance. While each user U 
is authenticated, only one user U is able to perform authorized activities. 

Another example would be that of a network payment service (or smart wallet) 116n 
15 (FIG. 9, FIG. 10), which contains credit card information and/or cash account 
information 1 18. A user U of a wallet service 1 16n can controllably authorize a web site 
to access credit card information and/or cash account information. In this case, the user 
U is authenticated, and authorized to control the payment service, while the web site is 
also authenticated, but authorized only to access the credit card information. 

20 

As shown above, some embodiments of the identity based service system 10 feature a 
delegation of authorization, wherein a user U is not required too navigate to a payment 
site to authorize a transaction. For example, while a user U shops at a web site 120, 
during a checkout process, a system enabled web site 120 may access the 
25 payment/wallet service 116n, on behalf of the user U, wherein the user has delegated 
authorization to the web site to act on his behalf with the payment service 1 16n. 

User Identity. In the identity based service system 10, the identity 29 of a user U 
comprises a persona for that user. As seen in Figure 10, a user U can preferably have 
30 more than one identity 29. For example, a user U can have one identity 29 for personal 
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information, another for business infonnation, and a third identity for "anonymous" web 
access. 

The use of multiple identities 29 allows users U to store relevant information associated 
5 with each identity 29, and use or expose the information only as needed. For example, 
as seen in Figure 10, while "Financial Entity A" corporate credit card information 118j 
associated with a business identity 29 and work authentication record 132a is located in 
the wallet 116n, the "Financial Entity A" corporate credit card information 118] is not 
located in the wallet 116n associated with the home or personal authentication record 
10 132b 

Similarly, an "anonymous" identity 29 would typically comprise no personally-identifiable 
information, enabling use of that identity 29 in appropriate situations. 

15 Scopes of Authentication. Network authentication occurs when a user's evidence-of- 
authentication are issued by a network authentication service 116a (FIG. 10), and 
enables a user U to access sites and services on the network 112. This enables single- 
sign on features, wherein all network participants accept network evidence-of- 
authentication, in accordance with their own site policies, e.g. level of authentication 

20 required, and in accordance with user opt-in choices. 

In addition, a local authentication may occur, such as when evidence of authentication 
for a user U is issued by a local site/service, using its own authentication facilities, 
wherein the evidence of authentication is only valid for that specific site or service. A 
25 local authentication does not inherently carry with the user U from one site to another, 
and does not allow the site to access network services on behalf of the user U. 

Some embodiments of the identity based service system 19 provide both forms of 
authentication, whereby the system 10 can be integrated with sites that already have an 
30 authentication system. 
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Requester identity, such as that of a web consumer 48, is established by the inclusion 
of a security token 186 (FIG. 13), which represents the Identity of the requestor, and the 
signing of relevant portions of the message with the key material implied the security 
token 186. The security token 186 may be an X.509 certificate, a Kerberos ticket, an 
5 SAML assertion, a username & associated password, or any other valid security token 
186, as deemed necessary by the web service provider 54. Additionally, a replay 
protection is preferably employed, such as a nonce-based challenge-response protocol, 
a timestamp Included In the signature, or other replay protection mechanism. 

10 The responder's identity can be authenticated, such as by validating that the signature 
of the response (containing the original RequestID) is signed. 

Long-Lived Access to Services. In some alternate system embodiments 10, 
pursuant to the approval of a user U, the discovery service 54 assures long-lived 
15 service assertions to a web service consumer 48, such that the web service consumer 
48 can repeatedly invoke a service at the web service provider 54. Continual 
acceptance of the service assertion 28 at the web service provider 54 is dependent on 
user approval of continued access of the service at the web service provider 54. 

20 However, in system embodiments 10 wherein revocation is desired to be controlled by 
the Identified provider 14 and associated discovery service 54, the discovery service 54 
prevents long-lived service assertions to a web service consumer 48. (***Clarlfy as 
needed***) 

25 Service infrastructure. While current system embodiments 10 comprise a profile 
service (PS) 116 (FIG. 9), the Identity based service system 10b preferably comprises a 
complete services infrastructure, such that the profile service 116, as well as other 
services, may be built on top of web service standards. 

30 For example, the infrastructure is typically accessible via SOAP over http calls, as 
defined by WSDL descriptions, and use agreed-upon schemas, such that the web 



17 



Attorney Docket No. AOL0041 PROPRIETARY INFORMATION - REVIEW DRAFT 15 April 

2003 

services infrastructure transparently supports both static and dynamic data. An 
example of static data is a basic profiling service that returns an e-mail address. An 
example of dynamic data is that of an infrastructure served by a calendar service, which 
return calendar appointments. 

5 

Services themselves are relatively coarse-grained (***Please clarify***), containing 
collections of attributes and service calls, such as a user's profile 116b, wallet 116n, or 
calendar/alerts 116c. 

Core Authentication Records. Figure 10 is a functional block diagram of a core 
authentication record (CAR) 132, which is maintained on behalf of a user U, such as by 
the BAA (FIG. XX) (***ls this shown?***). The core authentication record 132 
comprises links 136,140 to sites 120a-120k which are associated through the identity 
based service system 10. The core authentication record 132 is also linked to an ACL 
134 (***Please describe as needed***), and to services 138, such as core services 
1 16, as provided by core service providers 118. 

Figure 1 1 is a functional block diagram of multiple core authentication records (CAR) 
132a, 132b, which are maintained on behalf of a user U, Some preferred embodiments 
20 identity based service system 10 comprise support for multiple identities, i.e. 
personifications or personas, for a user U, wherein a user may interact differently, such 
as within different environments. 

For example, users U often look at their work personification as different and distinct 
25 from their home personification, with different sites 120 visited, different credit cards 
1 1 6n, and sometimes even different alert mechanisms 1 1 6c. 

As seen in Figure 11, multiple core authentication records (CAR) 132a, 132b are 
preferably supported by the identity based service system 10, whereby a user U 
30 selectively logs in 18 to one or more core authentication records 132. 
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The links 136 also preferably include quick-links 140 between accounts 132. Once as 
user U logs in 18 to either account 132, they can switch between the accounts 132, e.g. 
from 132a to 132b, on an as needed or as desired basis, without logging in 18 again. 
For example, as seen in Figure 11, a user U within a work authentication record 132a 
5 can link 140d to the associated home authentication record 132b for the user U. 
Similarly, the user U within a home authentication record 132b can link 140g to the 
associated work authentication record 132a for the user U. 

Figure 12 is a functional block diagram 160 of multiple core authentication records 
10 (CAR) 132a, 132b, which are maintained on behalf of a user U, based upon the use of 
different devices 192a, 192b (FIG. 14). The identity based service system 10 also 
preferably comprises support for multiple devices 192 for a user U, wherein a user logs 
on 18 to the system through any of a plurality devices 192, such as through a desktop 
computer 192a In an office, or through a mobile device 192b at any location. 

15 

While the user U may retain a similar identity while operating different devices, such as 
a work identity, the chosen services 138,116 and links 136,140 linked to the 
authentication records 132a, 132b may be chosen or selected as suitable for the device 
192. For example, an extended alert list 116c may be linked to a desktop computer 
20 192a, while an abbreviated alert list 116c be linked to a mobile device 192b, such as a 
personal digital assistant 192b, or an Internet enabled cell phone 192b. Similarly, a 
wide variety of web site links 140 may be linked to a desktop computer 192a, while only 
a few key web site links 140 may be linked to a mobile device 192b. 

25 While much of the identity 29, services 116, and/or core providers 118 may be shared 
between authentication records 132a, 132b In Figure 12, the authentication records 
132a, 132b provide a customized operating environment for a user U, which Is based on 
the device 192 from which the user U logs in 18. 

30 System Advantages. The Identity based service system 10 provides significant 
advantages over conventional identity and service structures. Through the 
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establishment of a system identity 29, a user U can quicl<ly provide Information as 
needed to system entities 27, while controlling how the information is distributed. The 
use of a secure and centralized identity structure provides controlled authentication and 
authorization of all system entities 27. 

5 

Through the use of detailed identity information, the identity based service system 10 
provides unique value-added services, such as fast sign-In 18, a customized personal 
network environment, and quicl< links 140 to existing and new associated web service 
providers 120. 

10 

System Operation. Figure 14 is a schematic view 190 of a user logging onto a first 
service provider site 120, wherein the user does not currently have a system identity 29. 
In the process of registering as a user at the site 120, the user typically establishes a 
user name 192 and password 194, and enters appropriate information to operate within 
15 the site 120, such as name, address, and/or credit information 96. 

Figure 15 Is a second view 200 of operation for an identity based service system 10, 
wherein the user is asked if an Identity based service system identity 174 is desired, to 
easily establish relationships with other providers 120, such as through selectable 
20 member site links 202, and/or to establish or manage system services 116, e.g. such as 
to establish a profile service 116b or a wallet service 116n, through selectable service 
links 204. 

Figure 16 is a third view 210 of operation for an identity based service system 10, in 
25 which a system identity 29 is established at an identity provider 14. The information 
gathered from the first site 120 Is securely stored in the identity provider 14. The user U 
may easily chose one or more member site links 202 and/or service links 204, typically 
from an identity service selection screen 206. 

30 Although the identity based service system and its methods of use are described herein 
in connection with personal computers, mobile devices, and other microprocessor- 
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based devices, such as portable digital assistants or network enabled cell phones, the 
apparatus and techniques can be implemented for a wide variety of electronic devices 
and systems, or any combination thereof, as desired. 

As well, while the identity based service system and its methods of use are described 
herein in connection with interaction between a principal and a network through a 
device, the use of identity based services can be implemented for a wide variety of 
electronic devices and networks or any combination thereof, as desired. 

Accordingly, although the invention has been described in detail with reference to a 
particular preferred embodiment, persons possessing ordinary skill in the art to which 
this invention pertains will appreciate that various modifications and enhancements may 
be made without departing from the spirit and scope of the claims that follow. 
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What is claimed is: 

5 1 . An identity based service system, comprising: 

at least one principal comprising at least one identity comprising user information 
an identity provider for managing at least one Identity for the principal, and for 
authenticating the principal; and 

a system entity which Is accessible by the principal, based on an authentication 
10 of the principal by the identity provider, and based on retrieval of at least a portion of 
user information from the identity provider. 

2. The identity based service system of Claim 1 , further comprising: 

at least one core service associated with the system and related to at least a 
15 portion of the user information. 

3. The identity based service system of Claim 2, wherein the core service is accessible 
by the user, based on an authentication of the principal by the Identity provider. 

20 4. The identity based service system of Claim 2, wherein the core service is accessible 
by the system entity, based on an authentication of the principal by the identity provider. 

5. The identity based service system of Claim 2, wherein the core service is associated 
with one or more core service providers. 

25 

6. The identity based service system of Claim 2, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 
and a wallet service. 
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7, The identity based service system of Claim 1, wherein the identity provider further 
comprises means for translating namespaces, such that a user identity of a principal in 
a first namespace is translatable to a user identity in a second namespace. 

5 8. The Identity based service system of Claim 7, wherein the user identity in the second 
namespace is encrypted. 

9. The identity based service system of Claim 7, wherein the user identity in the second 
namespace is time-bound. 

10 

1 0. The identity based service system of Claim 1 , further comprising; 

at least one core authentication record associated with the identity, comprising 
any of services and links associated with the identity. 

,15 11. An identity based service system, comprising: 

an identity module for managing an identity for a user; 

a discovery module associated with the Identity module and adapted to receive a 
user name identifier and a service name associated with the user; 

means for discovering a service descriptor for the user, based on a received 
20 name identifier and a service name; and 

whereby at least one web service is accessible, based upon the discovered 
service descriptor and the name identifier. 

12. The identity based service system of Claim 1 1 , further comprising: 

25 at least one core service associated with the system and related to the user. 

13. The identity based service system of Claim 12, wherein the core service is 
accessible by the user, based on a system authentication of the principal at the identity 
module. 
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14. The identity based service system of Claim 12, wherein the core service is 
accessible by a system entity, based on an authentication of the principal at the identity 
module. 

5 15. The identity based service system of Claim 12, wherein the core service is 
associated with one or more core service providers. 

16. The identity based service system of Claim 12, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 
10 and a wallet service. 



17. The identity based service system of Claim 11, wherein the identity module further 
comprises means for translating namespaces, such that a user identity of a principal in 
a first namespace is translatable to a user Identity in a second namespace. 

18. The identity based service system of Claim 17, wherein the user identity in the 
second namespace is encrypted. 



19. The identity based service system of Claim 17, wherein the user identity in the 
20 second namespace is time-bound. 



20. The identity based service system of Claim 1 , further comprising: 

at least one core authentication record associated with the identity, comprising 
any of services and links associated with the identity. 

25 

21. The system of Claim 11, wherein the principal is located at a device linked to the 
identity based service system. 

22. An identity based service process, comprising: 

30 providing an identity module for managing an identity for a user; 

receiving a user name identifier and a service name associated with the user; 
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discovering a service descriptor for tine user, based on a received name identifier 
and a service name; and 

controllably authenticating access to a service, based upon tlie receipt of tlie 
discovered service descriptor and tlie name identifier. 

5 

23. Tlie process of Claim 22, further comprising the step of: 

establishing at least one core service associated with the system and related to 
the user. 

10 24. The process of Claim 23, wherein the core service is accessible by the user, based 
on a system authentication of the principal at the identity module. 

25. The process of Claim 23, wherein the core service is accessible by a system entity, 
based on an authentication of the principal at the identity module. 

15 

26. The process of Claim 23, wherein the core service is associated with one or more 
core service providers. 

27. The process of Claim 23, wherein the core service comprises any of an 
20 authentication service, a profile service, an alert service, a calendar service, and a 

wallet service. 

28. The process of Claim 22, further comprising the step of: 

translating namespaces, such that a user identity of a principal in a first 
25 namespace is translated to a user identity in a second namespace. 

29. The process of Claim 28, further comprising the step of: 

encrypting the user identity in the second namespace. 

30 30. The process of Claim 22, wherein the user identity in the second namespace is 
time-bound. 

25 
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31 . The process of Claim 22, further comprising tlie step of: 

associating at least one core autlientication record witii tiie identity, comprising 
any of services and linl<s associated witli the identity. 

5 

32. A process, comprising the steps of: 

providing an identity provider networl<ed to a service having a service name; 

establishing an identity at the identity provider for a principal, comprising 
information and a name identifier for a user; 
10 establishing a link between the principal and the service by the identity provider, 

based upon a receipt of a name identifier and a service name. 
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Identity Based Service System 
ABSTRACT OF TH^ DISCLOSURE 

5 An identity based service system is provided, in wliich an identity is created and 

managed for a user or principai, sucii tliat at least a portion of tlie identity is 
available to use between one or more system entities. A discovery service 
enables a system entity to discover a service descriptor, given a service name 
and a name identifier of the user, whereby system entities can find and invoke 

10 the user's other personal web services. The discovery service preferably 

provides a translation between a plurality of namespaces, to prevent linkable 
identity information over time between system entities. 
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IDENTITY BASED SERVICE SYSTEM 



FIELD OF THE INVENTION 

5 

The invention relates to the field of network based services and structures. More ' 
particularly, the invention relates to identity creation, management, authentication, and 
authorization structures for enhanced network services. 

10 BACKGROUND OF THE INVENTION 

At the present time, the identity of an individual or user in a network environment, such 
as the Internet, is comprised of a large number of pieces of information, which is 
collected and recollected by a large number of entities. Some basic information 

15 regarding an individual, such as but not limited to name information, address 
information, identification information, financial information, profile information, and or 
preference information, is repeatedly collected and stored at a large number of system 
entities. Additional information, such as a user name and password, is created, as 
necessary, such that the individual or user can sign on and/or gain access to a service 

20 provider. 

A large number of pieces of an individuars business and personal identity are therefore 
scattered across an increasing number of system entities, such as but not limited to 
commercial entities, banking and investment institutions, credit card companies, service 
25 providers, and/or educational institutions. 

Individuals are therefore required to repeatedly enter much of the same information, in 
the process of numerous professional and/or personal endeavors. Furthermore, as the 
information for an individual changes, the stored information becomes increasingly 
30 impractical to manage and/or update. In addition, the numerous user names and 
passwords associated with an individual quickly becomes unwieldy, such that users 
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often forget or lose track of the information ttiey need to access services and/or 
accounts. 

Several structures and methods have been described for identity and proxy-based 
5 networks, such as: 

E. Gabber, P. Gibbons, Y. Matias, and A. Mayer, System and Method for Providing 
Anonymous Personalized Browsing by a Proxy System in a Network, U.S. Pat. No. 
5,961,593, 05 October 1999, describes a system "For use with a network having server 

10 sites capable of being browsed by users based on identifiers received into the server 
sites and personal to the users, alternative proxy systems for providing substitute 
Identifiers to the server sites that allow the users to browse the server sites 
anonymously via the proxy system. A central proxy system includes computer- 
executable routines that process site-specific substitute identifiers constructed from 

IS data specific to the users, that transmits the substitute identifiers to the server sites, that 
retransmits browsing commands received from the users to the server sites, and that 
removes portions of the browsing commands that would identify the users to the server 
sites. The foregoing functionality is performed consistently by the central proxy system 
during subsequent visits to a given server site as the same site specific substitute 

20 identifiers are reused. Consistent use of the site specific substitute identifiers enables 
the server site to recognize a returning user and, possibly, provide personalized 
service"; 

Proxy-Based Security Protocols in Networked Mobile Devices; M. Burnside, D. Clarke, 
25 T. Mills, S. Devadas, and R. Rivest; MIT Laboratory for Computer Science; 
event,declarke,mills,devada, rivest@mit.edu; 

SPKI/SDSI http Server / Certificate Chain Discovery in SPKi/SDDI; D. Clarke; MIT 
Laboratory for Electrical Engineering and Computer Science, September 2001 ; 

30 
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Grid Information Services for Distributed Resource Sharing; K. Czajkowski, S. 
Fitzgerald, I. Foster, C. Kesselman; Proc. 10*" IEEE Symposium on High-Performance 
Distributed Computing, 2001; 

5 Certificate Discovery Using SPKI/SDSI 2.0 Certificates; J. Elien; MIT Department of 
Electrical Engineering and Computer Science; May 1998; and 

Local Names in SPKI/SDSI; N. Li; NYU Department of Computer Science; Proceedings 
of the 1 3*"^ IEEE Computer Security Foundations Workshop. 

10 

Other systems provide various details of the operation of network identity and proxy 
systems, such as U.S. Patent No. 6,460,036, System and Method for Providing 
Customized Electronic Newspapers and Target Advertisements; U.S. Patent No. 
6,029,195, System for Customized Electronic Identification of Desirable Objects; U.S. 

15 Patent No. 5,835,087, System for Generation of Object Profiles for a System for 
Customized Electronic Identification of Desirable Objects; U.S. Patent No. 5,754,939, 
System for Generation of User Profiles for a System for Customized Electronic 
Identification of Desirable Objects; U.S. Patent No. 5,754,938, Pseudonymous Sen/er 
for System for Customized Electronic Identification of Desirable Objects; U.S. Patent 

20 No. 6,490,620, Integrated Proxy Interface for Web Based Alarm Management Tools; 
U.S. Patent No. 6,480,885, Dynamically Matching Users for Group Communications 
Based on a Threshold Degree of Matching of Sender and Recipient Predetermined 
Acceptance Criteria; U.S. Patent No. 6,473,407, Integrated Proxy Interface for Web 
Based Alarm management Tools; U.S. Patent No. 6,421,733, System for Dynamically 

25 Transcoding Data Transmitted Between Computers; U.S. Patent No. 6,385,652, 
Customer Access Solutions Architecture; U.S. Patent No. 6,373,817, Chase Me 
System; U.S. Patent No. 6,338,064, Method for Enabling a Web Server Running a 
"Closed" Native Operating System to Impersonate a User of a Web Client to Obtain a 
Protected File; U.S. Patent No. 6,259,782, One-Number Communications System and 

30 Service Integrating WirelineAA/ireless Telephone Communications Systems; U.S. Patent 
No. 5,974,566, Method and Apparatus for Providing Persistent Fault-Tolerant Proxy 
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Login to a Web-Based Distributed File Service; European Pat. No. EP 1094404, 
Collaborator Discovery Mettiod and System; European Pat. No. EP 1031206, Identity 
Discovery method for Detecting Authorized Security Service Which is Illicitly 
Transferring Decoding Capabilities for use in Unauthorized Security Devices; The 
5 Session Initiation Protocol: Internet-Centric Signaling; H. Schulzrinne, J. Rosenberg; 
IEEE Communications Magazine; October 2000; IHow Bluetooth Embeds in the 
Environment; Lawday, G.; Electronic Product Design; Nov. 2001; and Business: 
Designing with Users in Internet Time; J. Braiterman, S. Veriiage, and R. Choo; 
Interactions: Sept.-Oct. 2000. 

10 

It would be advantageous to provide an identity based service system, which does not 
require a user to create a user identity for each service provider. The development of 
such an identity based service system would constitute a major technological advance. 

15 Furthermore, it would be advantageous to provide a identity based service system, 
which allows a user to create a an Identity which can be controllably accessed and 
shared by a plurality of service providers. The development of such an identity based 
service system would constitute a further technological advance. 

20 As well, it would be advantageous that such an identity based service system be 
integrated with existing site authentication and authorization structures, such that the 
identity based service system is readily used by a wide variety of sites. The 
development of such an identity based service system would constitute a further major 
technological advance. 

25 

SUMMARY OF THE INVENTION 

An identity based service system is provided, in which an identity is created and 
managed for a user or principal, such that at least a portion of the identity is available to 
30 use between one or more system entities. A discovery service enables a system entity 
to discover a service descriptor, given a service name and a name identifier of the user, 

4 



Attorney Docket No. AOL0091 

whereby system entities can find and invoice tlie user's other personal web services. 
The discovery service preferably provides a translation between a plurality of 
namespaces, to prevent linkable identity information over time between system entities. 

5 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a basic functional block diagram for an identity based service system, in 
which a service provider accesses services for a principal; 

10 Figure 2 is a flow diagram for the access of service within an identity based service 
system; 

Figure 3 is a functional block diagram of an identity based service system, comprising a 
discovery service associated with an identity provider, a web service provider, and a 
15 web service consumer; 

Figure 4 is a flow diagram for the access of service within an identity based service 
system comprising a discovery service associated with an identity provider, a web 
service provider, and a web service consumer; 

20 

Figure 5 is a functional block diagram of an identity based service system, in which a 
discovery service issues service assertions that are used to invoke services; 

Figure 6 is a flow diagram for the access of service in the identity based service system 
25 shown in Figure 5; 

Figure 7 is a functional block diagram of profile service principal core information; 

Figure 8 is a functional block diagram of a profile data entry; 

30 
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Figure 9 is a schematic View of an identity based service system configured on a virtual 
network; 

Figure 10 is a functional blocl< diagram of a core autlientication record; 

5 

Figure 1 1 is a functional block diagram of multiple core authentication records which are 
maintained on behalf of a plurality of identities for a user; 

Figure 12 is a functional block diagram of multiple core authentication records 
10 maintained on behalf of a user, based upon system access through different devices; 

Figure 13 is a schematic view of namespace translation within the identity based 
service system; 

15 Figure 14 is a first schematic view of operation for an identity based service system, in 
which user logs onto a first service provider site; 

Figure 15 is a second view of operation for an identity based service system, wherein a 
users may select system site links and/or system service links; and 

20 

Figure 16 is a third view of operation for an identity based service system, in which a 
system identity is established at an identity provider. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

25 

Figure 1 is a basic functional block diagram for an identity based service system 10a, in 
which a service provider 16 accesses services for a principal 12. Figure 2 is a flow 
diagram 30 for the access of service within an identity based service system 10. In 
Figure 1, the system entities 27 comprise an identity provider 14, a service provider 16, 
30 and a principal 12. The system entities. 27 assume roles within the identity based 
service system 10. 

6 
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A principal 12, such as a user or user agent, is an entity 27 tliat can acquire a system 
identity 29, and be autlienticated and vouched for 19 by an identity provider 14. A 
principal 12 often comprises a user, using a user agent, either a web browser or a 
5 smart web services client. 

An identity provider (IDP) 14 authenticates and vouches for principals 12, and provides 
system management for system identities 29. A service provider (SP) 16 provides 
service to one or more requestors, such as principals 12, typically through a web 
10 consumer 48 (Fig. 3), upon proof of authentication 1 9 by the identity provider 14. 

The identity based service system 10a shown in Figure 1 provides a web services- 
based service infrastructure that enables users U to manage the sharing of their 
personal information across an identity provider 14 and service providers 16. In some 
15 system embodiments 10, the system 10 also provides personalized services 116 (FIG. 
9) for users U (FIG. 11). 

For example, a user U, through a principal 12, is able to authorize a service provider 16 
to access his or her contact data 94a (FIG. 7), such as shipping address data 96 (FIG. 

20 7), while processing a transaction. Principals 12 are able to use sophisticated clients 
that support web services, in addition to traditional browser^oriented user agents. In 
some system embodiments, web services are defined as simple object access protocol 
binding (SOAP) over http calls, comprising header blocks and processing rules, which 
enable the system to Invocation identity services 116, through SOAP requests and 

25 responses. 

The identity based system framework 10 enables service providers 16 and other 
system entities 27 to craft and offer sophisticated services, including multi-provider- 
based services 116 (FIG. 9). 
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Figure 3 is a functional blocl< diagram 40 of an identity based service system 10b, which 
further comprises a discovery service 42 associated with the identity provider 14, a web 
service provider 42, and a web service consumer 48, Figure 4 is a flow diagram 60 for 
the access of service within an Identity based service system 1 0b. 

5 

A web service provider (WSP) 54 hosts personal web services 116 (FIG. 9), such as a 
profile service 116b (FIG. 9), while a web service consumer (WSC) 48 invokes web 
services 116 at web service providers WSP 54. With appropriate identification and 
authorization, a web service consumer 48 is able to access the user's personal web 
10 services 1 16, by communicating with the web service provider endpoint 54. 

As seen in Figure 3, the identity provider IDP 14 provides authentication 19 to the 
principal 12, based upon a successful log in 18. The principal 12 then interacts with the 
service provider 16, and relays the authentication information 19, comprising an IDP 
15 assertion 45 and a discovery service descriptor 26. 

The service provider SP 16, acting as a web service consumer 48, uses the discovery 
service 42, to determine whether the principal 14 is enabled for a particular service 116, 
and to obtain the necessary assertions which authorize use of the service 116. The 
20 policy framework addresses whether the principal 12 is enabled for some particular 
service, and if so, what fine-grained methods are allowed, and what data is to be 
returned. Web service security is typically applied to all messages flowing between 
system entities 27. 

25 As seen in Figure 3, the identity based service system 10b comprises a web-service 
infrastructure, which comprises the discovery service 42, service invocation 52, a 
permission and authorization framework, a change management framework, as well as 
a mobile infrastructure. 
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In some system embodiments 10, web service consumers 48 are liosted on a server at 
a service provider 54. In alternate system embodiments 10, web service consumers 48 
are hosted on a user device 192 (FIG. 14). 

5 A discovery device (DS) 44 is typically hosted by an identity provider (IDP) 14, and 
enables web service consumers 48 to discover service endpoint information 96 (FIG. 7) 
associated with the personal web services 1 16 of a user U. 

Architectural Components. The identity based sen/ice system 10 comprises the 
10 following architectural components: 

Services. A service is a grouping of common functionality. For example, a core 
profile service 116b (FIG. 9) handles all interaction to do with user profile 
information 96. Services typically offer one or more methods callers use to 
15 manipulate the information managed by the service, and are typically scoped ih 

the context of a particular principal 12, e.g. GetProfile (Principal) accesses the 
principal's entire set of profile data. 

Services may be either RPC-style or one-way exchanges. In RPC-based 
20 exchanges, the Web Services Consumer 48 is the requestor 50, and the Web 

Services Provider 54 Is the responder 51 . 

Schemas. Schemas describe the syntax and relationships of data. Each 
service element 116 comprises an associated schema for the data that is 
25 relevant to the service element 116. For example, the profile service 116b 

comprises schema elernents 96 which are relevant to a profile 94, such as but 
not limited to a name, an address, and a phone number for a user U. 

System Entity Roies. System Entities may assume one or more roles. 

30 
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As seen in Figure 3, service descriptors 26 are used to locate a system service 54, 
while service assertions 28 are used as credentials, to access the system service 54. A 
service descriptor 26 typically describes a SOAP endpoint for an identity based system 
service 54. A service assertion 28 is an assertion used as a credential to access an 
5 identity based system service 54. 

Discovery Service Overview. In the identity based service system 10, the personal 
web services 116 for a user U are preferably distributed across multiple web service 
providers 54. Therefore, web service consumers 48 comprise a means for discovering 
10 service locations 54. The discovery device 42 is a personal web service which enables 
system entities 27 to discover a service descriptor 26, given a service name and a 
user's name identifier 174 (FIG. 13), whereby a web service consumer 48 is able to find 
and invoke the web services 54 of a user U. 

15 Figure 5 is a functional block diagram 70 of an identity based service system 10, in 
which a discovery service 42 issues service assertions 28 that are used to invoke 
services 54. Figure 6 is a flow diagram 80 for the access of service 54. 

Because of the pseudonymous identity of users In the identity based service system 1 0, 
20 web service consumers 48 and web service providers 54 do not have a common name 
for a user U. The identity provider 14 of a user U is the system entity 27 that maps 
between the disparate namespaces 176,182 (FIG. 13). As seen in Figure 13, the 
discovery service 42, which is hosted by the identity provider 14, provides this 
namespace translation. 

25 

The web service consumer 48 prompts the name translation service, by sending the 
user's name 174a in the WSC-IDP namespace 176, to the identity provider 14. The 
identity provider 14 hands back a user name 174b in the WSP-IDP namespace 182, 
within a format that the web service consumer 48 is blinded to this name, via encryption 
30 184. The encrypted value 184 of the name 174b is preferably different each time the 
name 174a, 174b is used, such that there is no linkable identity information over time 



10 



Attorney Docket No. AOL0091 



between the web service consumer 48 and the web service provider 54. This name 
translation assertion 28 is also preferably time-bound, to prevent long-term use of a 
translated name 174b, and to prevent linking of the actions of a principal 12. 

5 In the identity based service system 10, the user's identity provider 14 always hosts the 
discovery service 42, since the discovery service 54 must be aware of the pair-wise 
identifier relationships 1 74a, 1 74b between parties 27. 

In response to a discovery request, the service 54 returns 52 a service descriptor 26 
10 that points to a particular web service provider 54. Additionally, a translated name 174b 
and relevant security tokens 186 (FIG. 13) are typically included as well. Some 
discovery services 54 enforce user presence requirements on web service consumers 
48, and/or enforce one or more authorization rules on each web service consumer 48. 

15 The discovery service 54 also provides an administrative interface, whereby a set of 
services 116 for a user can be configured. Services may be registered and 
unregistered. (***Please clarify these features as needed***) 

Profile Service. Figure 7 is a functional block diagram 90 of profile service 1 16b (FIG. 
20 9) principal core information 92. A profile service 90 manages the core personal 
information 92 for a principal 12. The core personal information 92 typically comprises 
a plurality of data types 94a-94n, such as contact data 94a, demographic data 94b, 
and/or core preferences 94n. 

25 A profile service 116 (FIG. 9) allows principals 12 to create a profile 92, to update 
profile data 94a-94n, and to specify privacy controls 98. Once a user creates a profile 
92, the profile 92 can be used at any of the system web service consumer 48 sites, 
such that principals 12 are not required to re-enter data, such as on a registration form. 

30 Figure 8 is a functional block diagram of a profile data entry. Each profile data entry 96 
is typically associated with a collection of metadata 107, such as data categories 102, 
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change timestamp information 104, data validation information 106, and/or creator 
information 108, 

Data category information 102 allows information to be classified as applicable, such as 
5 to define a home or business profile. For example, an address can be classified as a 
home and/or a business address. Data categories 102 are typically defined by web 
service providers 54, by web service consumers 48, and/or by principals 12. 

Change timestamps information 104 typically comprises a number 105, e.g. 105a, 
10 which represents the latest modification time of a particular node and associated 
descendants. 

Data validation information 106 comprises an indication of whether the data content 94 
has been validated or not. If the data content 94 is validated, the information may 
15 preferably comprise what type of validation was performed, and when the validation 
was performed. A web service consumer 48 typically uses metadata 107. 

Figure 9 is a schematic view 110 of an identity based service system 10 configured on 
a virtual network 112. The virtual network 112, provides a single set 114 of services 

20 116a-116n, which are provided by one or more contributors 118a-118j. The virtual 
network 112 formed within the identity based service system 10 provides one or more 
core services 116, such as an authentication service 116a, a profile service 116b, an 
alert service 116c, and/or a wallet service 116n. The identity based service system 10 
also supports other value-added services 116 for a user, such as a calendar service 

25 and/or an address book service. The identity based service system 10 provides access 
for a wide variety of web consumer sites 120a-120k, such as large and small business 
sites 120a, 120k. 

As seen in Figure 9, service consumers 48 comprise sites which use services 116 from 
30 the network 112. As seen through a site 120, the services 116 presented by the virtual 
network 112 preferably look like a single set 114 of services 116, i.e. from a single 
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provider 1 18 of services, even though the services are typically provided by any number 
of contributors 1 1 8a-1 1 8j. 

The core service provider 118b shown In Figure 9 provides all of the core services 
5 116a-116n on the virtual network 112. While some basic services, such as a profile 
service, are currently available through some Internet providers, such services are 
separate and distinct. In the identity based service system 10, the various services 
1 16a-1 16n are aware of each other and of the virtual network 112 

10 As seen in Figure 9, the identity based service system 10 preferably comprises a 
plurality of service contributors, i.e. vendors 118a-118j. While different 118 vendors 
typically contribute different sets of varying services 1 16, the source of a service 1 16 is 
typically transparent to users U as they interact with the recipient sites 120. 

15 Levels of Trust and Integration. The identity based service system 10 preferably 
provides varying levels of trust and integration. For example, as seen in Figure 9, a 
small retail site 120k typically comprises a low level of trust, such that a user U is 
typically asked to confirm transactions, through redirect exchanges with the system 10. 

20 A larger site 120, such as a large retail site 120a or an auction site 120b, which is 
integrated with the network 112 and is able to perform tasks on behalf of the user U, 
e.g. get money from a wallet 116n, typically has a higher level of trust with the system 
10. 

25 Core service providers 118, such as providers 1 18a-1 18j of core services 116, typically 
have a high level of trust with the system 10, and are able to perform system functions 
on behalf of a user U. In addition, core service providers 118 which provide 
authentication 116a have the highest level of service requirements, and inherently 
require the highest level of trust within the system 10. 

30 
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Service Invocation. In order to enable interactions between multiple endpoints within 
a circle of trust, the discovery service 54 issues service assertions 28 (FIG. 3, FIG. 5) 
that can be used by service consumers 48, such as to access other service providers 
54. 

5 

In some embodiments of the identity based service system 10, messages can be 
routed and be transported through multiple hops. Additionally, message-level 
confidentiality is employed for sensitive data in multi-hop cases where confidentiality is 
required. 

10 

The target service provider 54 does not simply consume the service assertion 28. 
Relevant policy Is enforced to ensure that the service invocation is in line with the 
principal's policies. 

15 Authentication. Most system services require requester authentication. Additionally, 
the response is authenticated. For example, a user authentication comprises a 
determination of the Identity 29 of a user U. Online authentication can take many forms, 
such as a stored browser cookie, a user name/password combination, or stronger 
technologies such as smart cards or biometric devices. 

20 

In the identity based service system 10, the user's identity 29 is authenticated, in 
accordance with privacy and security policies . The evidence of authentication for a 
user U comprises the user identity 29, in addition to guarantees of authentication. The 
evidence of authentication for a user U refers to stored and/or passed data that 
25 Indicates that a user is authenticated, and which can be interrogated to verify the 
authentication. 



30 



As an example, web sites often user a stored cookie to provide personalization 
Information about their site for the user. However, for e-commerce transactions, that 
same web site will often require a user ID and password. Both are authentications, but 
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the ID/password is stronger than the stored cookie. This allows the site to balance user 
convenience with its security policies, as needed. 

System Authorization. While user authentication determines the identity 29 of the 
5 user U, authorization is the process of determining what an authenticated user U is 
allowed to do, and the determination any services and/or entities 27 which are allowed 
to act on behalf of the user U. 

For example, a web site that provides access to bank account information may be 
10 configured to allow the primary account holder to transfer funds to/from the account, but 
allow all members of the family to view the current account balance. While each user U 
is authenticated, only one user U is able to perform authorized activities. 

Another example would be that of a network payment service (or smart wallet) 116n 
15 (FIG. 9, FIG. 10), which contains credit card information and/or cash account 
information 1 18. A user U of a wallet service 1 16n can controllably authorize a web site 
to access credit card information and/or cash account information. In this case, the user 
U is authenticated, and authorized to control the payment service, while the web site is 
also authenticated, but authorized only to access the credit card information. 

20 

As shown above, some embodiments of the identity based service system 10 feature a 
delegatiori of authorization, wherein a user U is not required too navigate to a payment 
site to authorize a transaction. For example, while a user U shops at a web site 120, 
during a checkout process, a system enabled web site 120 may access the 
25 payment/wallet service 116n, on behalf of the user U, wherein the user has delegated 
authorization to the web site to act on his behalf with the payment service 1 16n. 

User Identity. In the identity based service system 10, the identity 29 of a user U 
comprises a persona for that user. As seen in Figure 10, a user U can preferably have 
30 more than one identity 29. For example, a user U can have one identity 29 for personal 
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information, anotlier for business information, and a third identity for "anonymous" web 
access. 

The use of multiple identities 29 allows users U to store relevant information associated 
5 with each identity 29, and use or expose the Information only as needed. For example, 
as seen in Figure 10, while "Financial Entity A" corporate credit card information 118j 
associated with a business Identity 29 and work authentication record 132a is located in 
the wallet 116n, the "Financial Entity A" corporate credit card information 118j is not 
located in the wallet 116n associated with the home or personal authentication record 
10 132b 

Similarly, an "anonymous" identity 29 would typically comprise no personally-identifiable 
information, enabling use of that identity 29 in appropriate situations. 

15 Scopes of Authentication. Network authentication occurs when a user's evidence-of- 
authentication are issued by a network authentication service 116a (FIG. 10), and 
enables a user U to access sites and services on the network 112. This enables single- 
sign on features, wherein all network participants accept network evidence-of- 
authentication, in accordance with their own site policies, e.g. level of authentication 

20 required, and in accordance with user opt-in choices. 

In addition, a local authentication may occur, such as when evidence of authentication 
for a user U is issued by a local site/service, using its own authentication facilities, 
wherein the evidence of authentication is only valid for that specific site or service. A 
25 local authentication does not inherently carry with the user U from one site to another, 
and does not allow the site to access network services on behalf of the user U. 

Some embodiments of the identity based service system 19 provide both forms of 
authentication, whereby the system 10 can be integrated with sites that already have an 
30 authentication system. 
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Requester identity, such as that of a web consumer 48, is established by the inclusion 
of a security token 186 (FIG. 13), which represents the identity of the requestor, and the 
signing of relevant portions of the message with the key material implied the security 
token 186. The security token 186 may be an X.509 certificate, a Kerberos ticket, an 
5 SAML assertion, a username & associated password, or any other valid security token 
186, as deemed necessary by the web service provider 54. Additionally, a replay 
protection is preferably employed, such as a nonce-based challenge-response protocol, 
a timestamp included in the signature, or other replay protection mechanism. 

10 The responder's identity can be authenticated, such as by validating that the signature 
of the response (containing the original RequestID) is signed. 

Long-Lived Access to Services. In some alternate system embodiments 10, 
pursuant to the approval of a user U, the discovery service 54 assures long-lived 
15 service assertions to a web service consumer 48, such that the web service consumer 
48 can repeatedly invoke a service at the web service provider 54. Continual 
acceptance of the service assertion 28 at the web service provider 54 is dependent on 
user approval of continued access of the service at the web service provider 54. 

20 However, in system embodiments 10 wherein revocation is desired to be controlled by 
the identified provider 14 and associated discovery service 54, the discovery service 54 
prevents long-lived service assertions to a web service consumer 48. (***Clarify as 
needed***) 

25 Service Infrastructure. While current system embodiments 10 comprise a profile 
service (PS) 116 (FIG. 9), the identity based service system 10b preferably comprises a 
complete services infrastructure, such that the profile service 116, as well as other 
services, may be built on top of web service standards. 

30 For example, the infrastructure is typically accessible via SOAP over http calls, as 
defined by WSDL descriptions, and use agreed-upon schemas, such that the web 
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services infrastructure transparently supports both static and dynamic data. An 
example of static data is a basic profiling service that returns an e-mail address. An 
example of dynamic data is that of an infrastructure served by a calendar service, which 
return calendar appointments. 

5 

Services themselves are relatively coarse-grained (***Please clarify***), containing 
collections of attributes and service calls, such as a user's profile 116b, wallet 116n, or 
calendar/alerts 116c. 

10 Core Authentication Records. Figure 10 is a functional block diagram of a core 
authentication record (CAR) 132, which is maintained on behalf of a user U, such as by 
the BAA (FIG. XX) (***ls this shown?***). The core authentication record 132 
comprises links 136,140 to sites 120a-120k which are associated through the identity 
based service system 10. The core authentication record 132 is also linked to an ACL 

IS 134 (***Please describe as needed***), and to services 138, such as core services 
1 1 6, as provided by core service providers 118. 

Figure 1 1 is a functional block diagram of multiple core authentication records (CAR) 
132a,132b, which are maintained on behalf of a user U. Some preferred embodiments 
20 identity based service system 10 comprise support for multiple identities, i.e. 
personifications or personas, for a user U, wherein a user may interact differently, such 
as within different environments. 

For example, users U often look at their work personification as different and distinct 
25 from their home personification, with different sites 120 visited, different credit cards 
1 16n, and sometimes even different alert mechanisms 1 16c. 

As seen in Figure 11, multiple core authentication records (CAR) 132a, 132b are 
preferably supported by the identity based service system 10, whereby a user U 
30 selectively logs in 18 to one or more core authentication records 132. 
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The links 136 also preferably include quick-links 140 between accounts 132. Once as 
user U logs in 18 to either account 132, they can switch between the accounts 132, e.g. 
from 132a to 132b, on an as needed or as desired basis, without logging in 18 again. 
For example, as seen in Figure 11, a user U within a work authentication record 132a 
5 can link 140d to the associated home authentication record 132b for the user U. 
Similarly, the user U within a home authentication record 132b can link 140g to the 
associated work authentication record 1 32a for the user U. 

Figure 12 is a functional block diagram 160 of multiple core authentication records 
10 (CAR) 132a, 132b, which are maintained on behalf of a user U, based upon the use of 
different devices 192a, 192b (FIG. 14). The identity based service system 10 also 
preferably comprises support for multiple devices 192 for a user U, wherein a user logs 
on 18 to the system through any of a plurality devices 192, such as through a desktop 
computer 192a in an office, or through a mobile device 192b at any location. 

15 

While the user U may retain a similar identity while operating different devices, such as 
a work identity, the chosen services 138,116 and links 136,140 linked to the 
authentication records 132a, 132b may be chosen or selected as suitable for the device 
192. For example, an extended alert list 116c may be linked to a desktop computer 
20 1 92a, while an abbreviated alert list 1 16c be linked to a mobile device 192b, such as a 
personal digital assistant 192b, or an Internet enabled cell phone 192b. Similarly, a 
wide variety of web site links 140 may be linked to a desktop computer 192a, while only 
a few key web site links 140 may be linked to a mobile device 1 92b. 

25 While much of the identity 29, services 116, and/or core providers 118 may be shared 
between authentication records 132a, 132b in Figure 12, the authentication records 
132a, 132b provide a customized operating environment for a user U, which is based on 
the device 192 from which the user U logs in 18. 

30 System Advantages. The Identity based service system 10 provides significant 
advantages over conventional identity and service structures. Through the 
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establishment of a system identity 29, a user U can quickly provide information as 
needed to system entities 27, while controlling how the information is distributed. The 
use of a secure and centralized identity structure provides controlled authentication and 
authorization of all system entities 27. 

5 

Through the use of detailed identity information, the identity based service system 10 
provides unique value-added services, such as fast sign-in 18, a customized personal 
network environment, and quick links 140 to existing and new associated web service 
providers 120. 

10 

System Operation. Figure 14 is a schematic view 190 of a user logging onto a first 
service provider site 120, wherein the user does not currently have a system identity 29. 
In the process of registering as a user at the site 120, the user typically establishes a 
user name 192 and password 194, and enters appropriate information to operate within 
15 the site 120, such as name, address, and/or credit information 96. 

Figure 15 is a second view 200 of operation for an identity based service system 10, 
wherein the user is asked If an identity based service system identity 174 is desired, to 
easily establish relationships with other providers 120, such as through selectable 
20 member site links 202, and/or to establish or manage system services 116, e.g. such as 
to establish a profile service 116b or a wallet service 116n, through selectable service 
links 204. 

Figure 16 is a third view 210 of operation for an identity based service system 10, in 
25 which a system identity 29 is established at an identity provider 14. The information 
gathered from the first site 120 is securely stored in the identity provider 14. The user U 
may easily chose one or more member site links 202 and/or service links 204, typically 
from an identity service selection screen 206. 

30 Although the identity based service system and its methods of use are described herein 
in connection with personal computers, mobile devices, and other microprocessor- 
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based devices, such as portable digital assistants or network enabled cell phones, the 
apparatus and techniques can be Implemented for a wide variety of electronic devices 
and systems, or any combination thereof, as desired. 

5 As well, while the identity based service system and its methods of use are described 
herein in connection with interaction between a principal and a network through a 
device, the use of identity based services can be implemented for a wide variety of 
electronic devices and networks or any combination thereof, as desired. 

10 Accordingly, although the invention has been described in detail with reference to a 
particular preferred embodiment, persons possessing ordinary skill in the art to which 
this invention pertains will appreciate that various modifications and enhancements may 
be made without departing from the spirit and scope of the claims that follow. 

15 
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CLAIMS 

What is claimed is: 

5 1. An identity based service system, comprising: 

at least one principal comprising at least one identity comprising user information 
an identity provider for managing at least one identity for the principal, and for 
authenticating the principal; and 

a system entity which is accessible by the principal, based on an authentication 
10 of the principal by the identity provider, and based on retrieval of at least a portion of 
user information from the identity provider. 

2. The identity based service system of Claim 1 , further comprising: 

at least one core service associated with the system and related to at least a 
15 portion of the user information. 

3. The identity based service system of Claim 2, wherein the core service is accessible 
by the user, based on an authentication of the principal by the identity provider. 

20 4. The identity based service system of Claim 2, wherein the core service is accessible 
by the system entity, based on an authentication of the principal by the identity provider. 

5, The identity based service system of Claim 2, wherein the core service is associated 
with one or more core service providers. 

25 

6. The identity based service system of Claim 2, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 
and a wallet service. 
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7. The identity based service system of Claim 1, wlierein the identity provider further 
comprises means for translating namespaces, such that a user identity of a principal in 
a first namespace Is translatable to a user identity In a second namespace. 

5 8. The identity based service system of Claim 7, wherein the user identity in the second 
namespace is encrypted. 

9. The identity based service system of Claim 7, wherein the user identity in the second 
namespace is time-bound. 

10 

10. The identity based service system of Claim 1, further comprising: 

at least one core authentication record associated with the identity, comprising 
any of services and links associated with the identity. 

15 11. An identity based service system, comprising: 

an identity module for managing an identity for a user; 

a discovery module associated with the identity module and adapted to receive a 
user name identifier and a service name associated with the user; 

means for discovering a service descriptor for the user, based on a received 
20 name identifier and a service name; and 

whereby at least one web service is accessible, based upon the discovered 
service descriptor and the name identifier. 

12. The identity based service system of Claim 1 1 , further comprising: 

25 at least one core service associated with the system and related to the user. 

13. The identity based service system of Claim 12, wherein the core service is 
accessible by the user, based on a system authentication of the principal at the identity 
module. 
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14. The identity based service system of Claim 12, wherein the core service is 
accessible by a system entity, based on an authentication of the principal at the identity 
module. 

5 15. The identity based service system of Claim 12, wherein the core service is 
associated with one or more core service providers. 

16. The identity based service system of Claim 12, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 

10 and a wallet service. 

17. The identity based service system of Claim 11, wherein the identity module further 
comprises means for translating namespaces, such that a user identity of a principal in 
a first namespace is translatable to a user identity in a second namespace. 

15 

18. The identity based service system of Claim 17, wherein the user identity in the 
second namespace is encrypted. 

19. The identity based service system of Claim 17, wherein the user identity in the 
20 second namespace is time-abound. 

20. The identity based service system of Claim 1 , further comprising: 

at least one core authentication record associated with the identity, comprising 
any of services and links associated with the identity. 

25 

21. The system of Claim 11, wherein the principal is located at a device linked to the 
identity based service system. 

22. An identity based service process, comprising: 

30 providing an identity module for managing an identity for a user; 

receiving a user name identifier and a service name associated with the user; 
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discovering a service descriptor for tfie user, based on a received name identifier 
and a service name; and 

controllably authenticating access to a service, based upon the receipt of the 
discovered service descriptor and the name identifier. 

5 

23. The process of Claim 22, further comprising the step of: 

establishing at least one core sen/ice associated with the system and related to 
the user. 

10 24. The process of Claim 23, wherein the core service is accessible by the user, based 
on a system authentication of the principal at the identity module. 

25. The process of Claim 23, wherein the core service is accessible by a system entity, 
based on an authentication of the principal at the identity module. 

15 

26. The process of Claim 23, wherein the core sen/ice is associated with one or more 
core service providers. 

27. The process of Claim 23, wherein the core service comprises any of an 
20 authentication service, a profile service, an alert service, a calendar service, and a 

wallet service. 

28. The process of Claim 22, further comprising the step of: 

translating namespaces, such that a user identity of a principal in a first 
25 namespace Is translated to a user identity in a second namespace. 

29. The process of Claim 28, further comprising the step of: 

encrypting the user identity in the second namespace. 

30 30. The process of Claim 22, wherein the user identity in the second namespace Is 
time-bound. 

25 
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31 . The process of Claim 22, further comprising the step of: 

associating at least one core authentication record with the identity, comprising 
any of services and links associated with the identity. 

5 

32. A process, comprising the steps of: 

providing an identity provider networked to a service having a service name; 

establishing an identity at the identity provider for a principal, comprising 
information and a name identifier for a user; 
10 establishing a link between the principal and the service by the identity provider, 

based upon a receipt of a name identifier and a service name. 



26 



Attorney Docket No. AOL0091 



Identity Based Service System 
ABSTRACT OF THE DISCLOSURE 

5 An identity based service system is provided, in wliicli an identity is created and 

managed for a user or principal, sucli tliat at least a portion of the identity is 
available to use between one or more system entities. A discovery service 
enables a system entity to discover a service descriptor, given a service name 
and a name identifier of the user, whereby system entities can find and invoke 

10 the user's other personal web services. The discovery service preferably 

provides a translation between a plurality of namespaces, to prevent linkable 
identity information over time between system entities. 
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IDENTITY BASED SERVICE SYSTEM 



FIELD OF THE INVENTION 

5 

The invention relates to tlie field of network based services and structures. More 
particularly, the invention relates to identity creation, management, authentication, and 
authorization structures for enhanced network services. 

10 BACKGROUND OF THE INVENTION 

At the present time, the identity of an individual or user in a network environment, such 
as the Internet, is comprised of a large number of pieces of information, which is 
collected and recollected by a large number of entities. Some basic information 

15 regarding an individual, such as but not limited to name Information, address 
information, identification information, financial information, profile information, and or 
preference information, is repeatedly collected and stored at a large number of system 
entities. Additional information, such as a user name and password, is created, as 
necessary, such that the individual or user can sign on and/or gain access to a service 

20 provider. 

A large number of pieces of an individual's business and personal identity are therefore 
scattered across an increasing number of system entities, such as but not limited to 
commercial entities, banking and investment institutions, credit card companies, service 
25 providers, and/or educational institutions. 

Individuals are therefore required to repeatedly enter much of the same information, in 
the process of numerous professional and/or personal endeavors. Furthermore, as the 
information for an individual changes, the stored information becomes increasingly 
30 impractical to manage and/or update. In addition, the numerous user names and 
passwords associated with an individual quickly becomes unwieldy, such that users 
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often forget or lose track of the information they need to access services and/or 
accounts. 

Several structures and methods have been described for identity and proxy-based 
5 networks, such as: 

E. Gabber, P. Gibbons, Y. Matias, and A. Mayer, System and Method for Providing 
Anonymous Personalized Browsing by a Proxy System in a Network, U.S. Pat. No. 
5,961,593, 05 October 1999, describes a system "For use with a network having server 

10 sites capable of being browsed by users based on identifiers received into the server 
sites and personal to the users, alternative proxy systems for providing substitute 
identifiers to the server sites that allow the users to browse the server sites 
anonymously via the proxy system. A central proxy system includes computer- 
executable routines that process site-specific substitute identifiers constructed from 

IS data specific to the users, that transmits the substitute identifiers to the server sites, that 
retransmits browsing commands received from the users to the server sites, and that 
removes portions of the browsing commands that would identify the users to the server 
sites. The foregoing functionality is performed consistently by the central proxy system 
during subsequent visits to a given server site as the same site specific substitute 

20 identifiers are reused. Consistent use of the site specific substitute identifiers enables 
the server site to recognize a returning user and, possibly, provide personalized 
service"; 

Proxy-Based Security Protocols in Networked Mobile Devices; M. Burnside, D. Clarke, 
25 T. Mills, S. Devadas, and R. Rivest; MIT Laboratory for Computer Science; 
event,declarke,mills,devada,rivest@mit.edu; 

SPKI/SDSI http Server / Certificate Chain Discovery in SPKI/SDDI; D. Clarke; MIT 
Laboratory for Electrical Engineering and Computer Science, September 2001; 

30 
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Grid Information Services for Distributed Resource Stiaring; K. Czajkowski, S. 
Fitzgerald, I. Foster, C. Kesselman; Proc. 10**^ IEEE Symposium on High-Performance 
Distributed Computing, 2001; 

5 Certificate Discovery Using SPKI/SDSI 2.0 Certificates; J. Elien; MIT Department of 
Electrical Engineering and Computer Science; May 1998; and 

Local Names in SPKI/SDSI; N. Li; NYU Department of Computer Science; Proceedings 
of the 13*^ IEEE Computer Security Foundations Workshop. 

10 

Other systems provide various details of the operation of network identity and proxy 
systems, such as U.S. Patent No. 6,460,036, System and Metliod for Providing 
Customized Electronic Newspapers and Target Advertisements; U.S. Patent No. 
6,029,195, System for Customized Electronic Identification of Desirable Objects; U.S. 

15 Patent No. 5,835,087, System for Generation of Object Profiles for a System for 
Customized Electronic Identification of Desirable Objects; U.S. Patent No. 5,754,939, 
System for Generation of User Profiles for a System for Customized Electronic 
Identification of Desirable Objects; U.S. Patent No. 5,754,938, Pseudonymous Server 
for System for Customized Electronic Identification of Desirable Objects; U.S. Patent 

20 No. 6,490,620, Integrated Proxy Interface for Web Based Alarm Management Tools; 
U.S. Patent No. 6,480,885, Dynamically Matching Users for Group Communications 
Based on a Threshold Degree of Matching of Sender and Recipient Predetermined 
Acceptance Criteria; U.S. Patent No. 6,473,407, Integrated Proxy Interface for Web 
Based Alarm management Tools; U.S. Patent No. 6,421,733, System for Dynamically 

25 Transcoding Data Transmitted Between Computers; U.S. Patent No. 6,385,652, 
Customer Access Solutions Architecture; U.S. Patent No. 6,373,817, Chase Me 
System; U.S. Patent No. 6,338,064, Method for Enabling a Web Server Running a 
"Closed" Native Operating System to Impersonate a User of a Web Client to Obtain a 
Protected File; U.S. Patent No. 6,259,782, One-Number Communications System and 

30 Service Integrating Wireline/Wireless Telephone Communications Systems; U.S. Patent 
No. 5,974,566, Method and Apparatus for Providing Persistent Fault-Tolerant Proxy 
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Login to a Web-Based Distributed File Service; European Pat. No. EP 1094404, 
Collaborator Discovery Method and System; European Pat. No. EP 1031206, Identity 
Discovery metliod for Detecting Authorized Security Service Which is Illicitly 
Transferring Decoding Capabilities for use in Unauthorized Security Devices; The 
5 Session Initiation Protocol: Internet-Centric Signaling; H. Schulzrinne, J. Rosenberg; 
IEEE Communications Magazine; October 2000; How Bluetooth Embeds in the 
Environment; Lawday, G.; Electronic Product Design; Nov. 2001; and Business: 
Designing with Users in Internet Time; J. Braiterman, S. Verhage, and R. Choo; 
Interactions: Sept.-Oct. 2000. 

10 

It would be advantageous to provide an identity based service system, which does not 
require a user to create a user identity for each service provider. The development of 
such an identity based service system would constitute a major technological advance. 

15 Furthermore, it would be advantageous to provide a identity based service system, 
which allows a user to create a an identity which can be controllably accessed and 
shared by a plurality of service providers. The development of such an identity based 
service system would constitute a further technological advance. 

20 As well, it would be advantageous that such an identity based service system be 
integrated with existing site authentication and authorization structures, such that the 
identity based service system is readily used by a wide variety of sites. The 
development of such an identity based service system would constitute a further major 
technological advance. 

25 

SUMMARY OF THE INVENTION 

An identity based service system is provided, in which an identity is created and 
managed for a user or principal, such that at least a portion of the identity is available to 
30 use between one or more system entities. A discovery service enables a system entity 
to discover a service descriptor, given a sen/ice name and a name identifier of the user. 
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whereby system entities can find and involve the user's other personal web services. 
The discovery service preferably provides a translation between a plurality of 
namespaces, to prevent linkable identity information over time between system entities. 

5 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a basic functional block diagram for an identity based service system, in 
which a service provider accesses services for a principal; 

10 Figure 2 is a flow diagram for the access of service within an identity based service 
system; 

Figure 3 is a functional block diagram of an identity based service system, comprising a 
discovery service associated with an identity provider, a web service provider, and a 
15 web service consumer; 

Figure 4 is a flow diagram for the access of service within an identity based service 
system comprising a discovery service associated with an identity provider, a web 
service provider, and a web service consumer; 

20 

Figure 5 is a functional block diagram of an identity based service system, in which a 
discovery service issues service assertions that are used to invoke services; 

Figure 6 is a flow diagram for the access of service in the identity based service system 
25 shown in Figure 5; 

Figure 7 is a functional block diagram of profile service principal core infomiation; 

Figure 8 is a functional block diagram of a profile data entry; 

30 
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Figure 9 is a schematic view of an identity based service system configured on a virtual 
network; 

Figure 10 is a functional block diagram of a core authentication record; 

5 

Figure 11 is a functional block diagram of multiple core authentication records which are 
maintained on behalf of a plurality of identities for a user; 

Figure 12 is a functional block diagram of multiple core authentication records 
10 maintained on behalf of a user, based upon system access through different devices; 

Figure 13 is a schematic view of namespace translation within the identity based 
service system; 

15 Figure 14 is a first schematic view of operation for an identity based service system, in 
which user logs onto a first service provider site; 

Figure 15 is a second view of operation for an identity based service system, wherein a 
users may select system site links and/or system service links; and 

20 

Figure 16 is a third view of operation for an identity based service system, in which a 
system identity is established at an identity provider. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

25 

Figure 1 is a basic functional block diagram for an identity based service system 10a, in 
which a service provider 16 accesses services for a principal 12. Figure 2 is a flow 
diagram 30 for the access of service within an identity based service system 10. In 
Figure 1, the system entities 27 comprise an identity provider 14, a service provider 16, 
30 and a principal 12. The system entities 27 assume roles within the identity based 
service system 10. 
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A principal 12, sucfi as a user or user agent, is an entity 27 that can acquire a system 
identity 29, and be autlienticated and vouched for 19 by an identity provider 14. A 
principal 12 often comprises a user, using a user agent, either a web browser or a 
5 smart web services client. 

An identity provider (IDP) 14 authenticates and vouches for principals 12, and provides 
system management for system identities 29. A service provider (SP) 16 provides 
service to one or more requestors, such as principals 12, typically through a web 
10 consumer 48 (Fig. 3), upon proof of authentication 19 by the identity provider 14. 

The identity based service system 10a shown In Figure 1 provides a web services- 
based service infrastructure that enables users U to manage the sharing of their 
personal information across an identity provider 14 and service providers 16. In some 
15 system embodiments 10, the system 10 also provides personalized services 116 (FIG. 
9) for users U (FIG. 11). 

For example, a user U, through a principal 12, is able to authorize a service provider 16 
to access his or her contact data 94a (FIG. 7), such as shipping address data 96 (FIG. 

20 7), while processing a transaction. Principals 12 are able to use sophisticated clients 
that support web services, in addition to traditional browser-oriented user agents. In 
some system embodiments, web services are defined as simple object access protocol 
binding (SOAP) over http calls, comprising header blocks and processing rules, which 
enable the system to invocation identity services 116, through SOAP requests and 

25 responses. 

The identity based system framework 10 enables service providers 16 and other 
system entities 27 to craft and offer sophisticated services, including multi-provider- 
based services 116 (FIG. 9). 
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Figure 3 is a functional block diagram 40 of an identity based service system 10b, which 
further comprises a discovery service 42 associated with the identity provider 14, a web 
service provider 42, and a web service consumer 48. Figure 4 is a flow diagram 60 for 
the access of service within an identity based service system 1 0b. 

5 

A web service provider (WSP) 54 hosts personal web services 1 16 (FIG. 9), such as a 
profile service 116b (FIG. 9), while a web service consumer (WSC) 48 invokes web 
services 1 16 at web service providers WSP 54. With appropriate identification and 
authorization, a web service consumer 48 is able to access the user's personal web 
10 services 1 16, by communicating with the web service provider ehdpoint 54. 

As seen in Figure 3, the identity provider IDP 14 provides authentication 19 to the 
principal 12, based upon a successful log in 18. The principal 12 then interacts with the 
service provider 16, and relays the authentication information 19, comprising an IDP 
15 assertion 45 and a discovery service descriptor 26. 

The service provider SP 16, acting as a web service consumer 48, uses the discovery 
service 42, to determine whether the principal 14 is enabled for a particular service 116, 
and to obtain the necessary assertions which authorize use of the service 116. The 
20 policy framework addresses whether the principal 12 is enabled for some particular 
service, and if so, what fine-grained methods are allowed, and what data is to be 
returned. Web service security is typically applied to all messages flowing between 
system entities 27. 

25 As seen In Figure 3, the identity based service system 10b comprises a web-servlce 
infrastructure, which comprises the discovery service 42, service invocation 52, a 
permission and authorization framework, a change management framework, as well as 
a mobile infrastructure. 
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In some system embodiments 10, web service consumers 48 are liosted on a server at 
a service provider 54. In alternate system embodiments 10, web service consumers 48 
are hosted on a user device 192 (FIG. 14). 

5 A discovery device (DS) 44 is typically hosted by an identity provider (IDP) 14, and 
enables web service consumers 48 to discover service endpoint information 96 (FIG. 7) 
associated with the personal web services 1 16 of a user U. 

Architectural Components. The identity based service system 10 comprises the 
10 following architectural components: 

Services. A service Is a grouping of common functionality. For example, a core 
profile service 116b (FIG. 9) handles all interaction to do with user profile 
information 96. Services typically offer one or more methods callers use to 
15 manipulate the information managed by the service, and are typically scoped in 

the context of a particular principal 12, e.g. GetProfile (Principal) accesses the 
principal's entire set of profile data. 

Services may be either RPC-style or one-way exchanges. In RPC-based 
20 exchanges, the Web Services Consumer 48 is the requestor 50, and the Web 

Services Provider 54 is the responder 51 . 

Schemas. Schemas describe the syntax and relationships of data. Each 
service element 116 comprises an associated schema for the data that Is 
25 relevant to the service element 116. For example, the profile service 116b 

comprises schema elements 96 which are relevant to a profile 94, such as but 
not limited to a name, an address, and a phone number for a user U. 



System Entity Roles. System Entities may assume one or more roles. 

30 
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As seen in Figure 3, service descriptors 26 are used to locate a system service 54, 
while service assertions 28 are used as credentials, to access the system service 54. A 
service descriptor 26 typically describes a SOAP endpoint for an identity based system 
service 54. A service assertion 28 is an assertion used as a credential to access an 
5 identity based system service 54. 

Discovery Service Overview. In the identity based service system 10, the personal 
web services 116 for a user U are preferably distributed across multiple web service 
providers 54. Therefore, web service consumers 48 comprise a means for discovering 
10 service locations 54. The discovery device 42 is a personal web service which enables 
system entities 27 to discover a service descriptor 26, given a service name and a 
user's name identifier 174 (FIG. 13), whereby a web service consumer 48 is able to find 
and invoke the web services 54 of a user U. 

15 Figure 5 is a functional block diagram 70 of an identity based service system 10, in 
which a discovery service 42 issues service assertions 28 that are used to invoke 
services 54. Figure 6 is a flow diagram 80 for the access of service 54. 

Because of the pseudonymous identity of users in the identity based service system 10, 
20 web service consumers 48 and web service providers 54 do not have a common name 
for a user U. The identity provider 14 of a user U is the system entity 27 that maps 
between the disparate namespaces 176,182 (FIG. 13). As seen in Figure 13, the 
discovery service 42, which is hosted by the identity provider 14, provides this 
namespace translation. 

25 

The web service consumer 48 prompts the name translation service, by sending the 
user's name 174a in the WSC-IDP namespace 176, to the identity provider 14. The 
identity provider 14 hands back a user name 174b in the WSP-IDP namespace 182, 
within a format that the web service consumer 48 is blinded to this name, via encryption 
30 184. The encrypted value 184 of the name 174b is preferably different each time the 
name 174a, 174b is used, such that there is no linkable identity information over time 
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between the web service consumer 48 and the web service provider 54. This name 
translation assertion 28 is also preferably time-bound, to prevent long-term use of a 
translated name 174b, and to prevent linking of the actions of a principal 12. 

5 In the identity based service system 10, the user's identity provider 14 always hosts the 
discovery service 42, since the discovery service 54 must be aware of the pair-wise 
identifier relationships 174a, 174b between parties 27, 

In response to a discovery request, the service 54 returns 52 a service descriptor 26 
10 that points to a particular web service provider 54. Additionally, a translated name 174b 
and relevant security tokens 186 (FIG. 13) are typically Included as well. Some 
discovery services 54 enforce user presence requirements on web service consumers 
48, and/or enforce one or more authorization rules on each web service consumer 48. 

15 The discovery service 54 also provides an administrative interface, whereby a set of 
services 116 for a user can be configured. Services may be registered and 
unregistered. (***Please clarify these features as needed*'"') 

Profile Service. Figure 7 is a functional block diagram 90 of profile service 116b (FIG. 
20 9) principal core information 92. A profile service 90 manages the core personal 
information 92 for a principal 12. The core personal information 92 typically comprises 
a plurality of data types 94a-94n, such as contact data 94a, demographic data 94b, 
and/or core preferences 94n. 

25 A profile service 116 (FIG. 9) allows principals 12 to create a profile 92, to update 
profile data 94a-94n, and to specify privacy controls 98. Once a user creates a profile 
92, the profile 92 can be used at any of the system web service consumer 48 sites, 
such that principals 12 are not required to re-enter data, such as on a registration form. 

30 Figure 8 is a functional block diagram of a profile data entry. Each profile data entry 96 
is typically associated with a collection of metadata 107, such as data categories 102, 
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change timestamp information 104, data validation information 106, and/or creator 
information 108. 

Data category information 102 allows information to be classified as applicable, such as 
5 to define a home or business profile. For example, an address can be classified as a 
home and/or a business address. Data categories 102 are typically defined by web 
service providers 54, by web service consumers 48, and/or by principals 12. 

Change timestamps information 104 typically comprises a number 105, e.g. 105a, 
10 which represents the latest modification time of a particular node and associated 
descendants. 

Data validation information 106 comprises an indication of whether the data content 94 
has been validated or not. If the data content 94 is validated, the information may 
15 preferably comprise what type of validation was performed, and when the validation 
was performed. A web service consumer 48 typically uses metadata 1 07. 

Figure 9 is a schematic view 110 of an identity based service system 10 configured on 
a virtual network 112. The virtual network 112, provides a single set 114 of services 

20 116a-116n, which are provided by one or more contributors 118a-118j. The virtual 
network 112 formed within the identity based service system 10 provides one or more 
core services 116, such as an authentication service 116a, a profile service 116b, an 
alert service 116c, and/or a wallet service 116n. The identity based service system 10 
also supports other value-added services 116 for a user, such as a calendar service 

25 and/or an address book service. The identity based service system 10 provides access 
for a wide variety of web consumer sites 120a-120k, such as large and small business 
sites 120a, 120k. 

As seen in Figure 9, service consumers 48 comprise sites which use services 116 from 
30 the network 112. As seen through a site 120, the services 116 presented by the virtual 
network 112 preferably look like a single set 114 of services 116, i.e. from a single 
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provider 1 18 of services, even thougli the services are typically provided by any number 
of contributors 1 1 8a-1 1 8j. 

The core service provider 118b shown in Figure 9 provides all of the core services 
5 116a-116n on the virtual network 112. While some basic services, such as a profile 
service, are currently available through some Internet providers, such services are 
separate and distinct. In the identity based service system 10, the various services 
1 16a-1 16n are aware of each other and of the virtual network 112 

10 As seen in Figure 9, the identity based service system 10 preferably comprises a 
plurality of service contributors, i.e. vendors 118a-118j. While different 118 vendors 
typically contribute different sets of varying services 116, the source of a service 1 16 is 
typically transparent to users U as they interact with the recipient sites 120. 

15 Levels of Trust and Integration. The identity based service system 10 preferably 
provides varying levels of trust and integration. For example, as seen in Figure 9, a 
small retail site 120k typically comprises a low level bf trust, such that a user U is 
typically asked to confirm transactions, through redirect exchanges with the system 10. 

20 A larger site 120, such as a large retail site 120a or an auction site 120b, which is 
integrated with the network 112 and is able to perform tasks on behalf of the user U, 
e.g. get money from a wallet 1 16n, typically has a higher level of trust with the system 
10. 

25 Core service providers 118, such as providers 1 18a-1 18j of core services 116, typically 
have a high level of trust with the system 10, and are able to perform system functions 
on behalf of a user U. In addition, core service providers 118 which provide 
authentication 116a have the highest level of service requirements, and inherently 
require the highest level of trust within the system 10. 

30 



13 



. Attorney Docket No. AOL0041 PROPRIETARY INFORMATION - REVIEW DRAFT 1 5 April 

2003 

Service Invocation. In order to enable interactions between multiple endpoints within 
a circle of trust, the discovery service 54 issues service assertions 28 (FIG. 3, FIG. 5) 
that can be used by service consumers 48, such as to access other service providers 
54. 

5 

In some embodiments of the identity based service system 10, messages can be 
routed and be transported through multiple hops. Additionally, message-level 
confidentiality is employed for sensitive data in multi-hop cases where confidentiality is 
required. 

10 

The target service provider 54 does not simply consume the service assertion 28. 
Relevant policy is enforced to ensure that the service invocation is in line with the 
principal's policies. 

15 Autlientication. Most system services require requester authentication. Additionally, 
the response is authenticated. For example, a user authentication comprises a 
determination of the identity 29 of a user U. Online authentication can take many forms, 
such as a stored browser cookie, a user name/password combination, or stronger 
technologies such as smart cards or biometric devices. 

20 

In the identity based service system 10, the user's identity 29 is authenticated, in 
accordance with privacy and security policies . The evidence of authentication for a 
user U comprises the user identity 29, in addition to guarantees of authentication. The 
evidence of authentication for a user U refers to stored and/or passed data that 
25 indicates that a user is authenticated, and which can be interrogated to verify the 
authentication. 

As an example, web sites often user a stored cookie to provide personalization 
information about their site for the user. However, for e-commerce transactions, that 
30 same web site will often require a user ID and password. Both are authentications, but 
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the ID/password is stronger than the stored cookie. This allows the site to balance user 
convenience with its security policies, as needed. 

System Authorization. While user authentication determines the identity 29 of the 
5 user U, authorization is the process of determining what an authenticated user U is 
allowed to do, and the determination any services and/or entities 27 which are allowed 
to act on behalf of the user U. 

For example, a web site that provides access to bank account information may be 
10 configured to allow the primary account holder to transfer funds to/from the account, but 
allow all members of the family to view the current account balance. While each user U 
is authenticated, only one user U is able to perform authorized activities. 

Another example would be that of a network payment service (or smart wallet) 116n 
15 (FIG. 9, FIG. 10), which contains credit card information and/or cash account 
information 118. A user U of a wallet service 116n can controllably authorize a web site 
to access credit card information and/or cash account information. In this case, the user 
U is authenticated, and authorized to control the payment service, while the web site is 
also authenticated, but authorized only to access the credit card information. 

20 

As shown above, some embodiments of the identity based service system 10 feature a 
delegation of authorization, wherein a user U is not required too navigate to a payment 
site to authorize a transaction. For example, while a user U shops at a web site 120, 
during a checkout process, a system enabled web site 120 may access the 
25 payment/wallet service 116n, on behalf of the user U, wherein the user has delegated 
authorization to the web site to act on his behalf with the payment service 1 16n. 

User Identity. In the identity based service system 10, the identity 29 of a user U 
comprises a persona for that user. As seen in Figure 10, a user U can preferably have 
30 more than one identity 29. For example, a user U can have one identity 29 for personal 
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information, another for business information, and a tliird identity for "anonymous" web 
access. 

The use of multiple Identities 29 allows users U to store relevant information associated 
5 with each Identity 29, and use or expose the Information only as needed. For example, 
as seen in Figure 10, while "Financial Entity A" corporate credit card information 118j 
associated with a business identity 29 and work authentication record 132a is located in 
the wallet 116n, the "Financial Entity A" corporate credit card information 118j is not 
located in the wallet 116n associated with the home or personal authentication record 
10 132b 

Similarly, an "anonymous" Identity 29 would typically comprise no personally-identifiable 
Information, enabling use of that identity 29 in appropriate situations. 

15 Scopes of Authentication. Network authentication occurs when a user's evidence-of- 
authentication are issued by a network authentication service 116a (FIG. 10), and 
enables a user U to access sites and services on the network 112. This enables single- 
sign on features, wherein all network participants accept network evldence-of- 
authentication, in accordance with their own site policies, e.g. level of authentication 

20 required, and in accordance with user opt-in choices. 

In addition, a local authentication may occur, such as when evidence of authentication 
for a user U is issued by a local site/service, using its own authentication facilities, 
wherein the evidence of authentication is only valid for that specific site or service. A 
25 local authentication does not inherently carry with the user U from one site to another, 
and does not allow the site to access network services on behalf of the user U. 

Some embodiments of the identity based service system 19 provide both forms of 
authentication, whereby the system 10 can be integrated with sites that already have an 
30 authentication system. 
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Requester identity, such as tliat of a web consumer 48, is established by the inclusion 
of a security token 186 (FIG. 13), which represents the identity of the requestor, and the 
signing of relevant portions of the message with the key material implied the security 
token 186. The security token 186 may be an X.509 certificate, a Kerberos ticket, an 
5 SAML assertion, a username & associated password, or any other valid security token 
186, as deemed necessary by the web service provider 54. Additionally, a replay 
protection is preferably employed, such as a nonce-based challenge-response protocol, 
a timestamp included in the signature, or other replay protection mechanism. 

10 The responder's identity can be authenticated, such as by validating that the signature 
of the response (containing the original RequestID) is signed. 

Long-Lived Access to Services. In some alternate system embodiments 10, 
pursuant to the approval of a user U, the discovery service 54 assures long-lived 
15 service assertions to a web service consumer 48, such that the web service consumer 
48 can repeatedly invoke a service at the web service provider 54. Continual 
acceptance of the service assertion 28 at the web service provider 54 is dependent on 
user approval of continued access of the service at the web service provider 54. 

20 However, in. system embodiments 10 wherein revocation is desired to be controlled by 
the identified provider 14 and associated discovery service 54, the discovery service 54 
prevents long-lived service assertions to a web service consumer 48. (***Clarify as 
needed***) 

25 Service Infrastructure. While current system embodiments 10 comprise a profile 
service (PS) 116 (FIG. 9), the identity based service system 10b preferably comprises a 
complete services infrastructure, such that the profile service 116, as well as other 
services, may be built on top of web service standards. 

30 For example, the infrastructure is typically accessible via SOAP over http calls, as 
defined by WSDL descriptions, and use agreed-upon schemas, such that the web 
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services infrastructure transparently supports both static and dynamic data. An 
example of static data is a basic profiling service that returns an e-mail address. An 
example of dynamic data is that of an infrastructure served by a calendar service, which 
return calendar appointments. 

5 

Services themselves are relatively coarse-grained (***Please clarify***), containing 
collections of attributes and service calls, such as a user's profile 116b, wallet 116n, or 
calendar/alerts 116c. 

10 Core Authentication Records. Figure 10 is a functional block diagram of a core 
authentication record (CAR) 132, which Is maintained on behalf of a user U, such as by 
the BAA (FIG. XX) (***ls this shown?***). The core authentication record 132 
comprises links 136,140 to sites 120a-120k which are associated through the identity 
based service system 10. The core authentication record 132 is also linked to an ACL 

15 134 (***Please describe as needed***), and to sen/ices 138, such as core services 
1 16, as provided by core service providers 118. 

Figure 1 1 is a functional block diagram of multiple core authentication records (CAR) 
132a, 132b, which are maintained on behalf of a user U. Some preferred embodiments 
20 identity based service system 10 comprise support for multiple identities, i.e. 
personifications or personas, for a user U, wherein a user may interact differently, such 
as within different environments. 

For example, users U often look at their work personification as different and distinct 
25 from their home personification, with different sites 120 visited, different credit cards 
1 16n, and sometimes even different alert mechanisms 1 16c. 

As seen in Figure 11, multiple core authentication records (CAR) 132a, 132b are 
preferably supported by the identity based service system 10, whereby a user U 
30 selectively logs in 18 to one or more core authentication records 132. 
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The links 136 also preferably include quick-links 140 between accounts 132. Once as 
user U logs in 18 to either account 132, they can switch between the accounts 132, e.g. 
from 132a to 132b, on an as needed or as desired basis, without logging in 18 again. 
For example, as seen in Figure 11, a user U within a work authentication record 132a 
5 can link 140d to the associated home authentication record 132b for the user U. 
Similarly, the user U within a home authentication record 132b can link 140g to the 
associated work authentication record 132a for the user U. 

Figure 12 is a functional block diagram 160 of multiple core authentication records 
10 (CAR) 132a, 132b, Which are maintained on behalf of a user U, based upon the use of 
different devices 192a, 192b (FIG. 14). The identity based service system 10 also 
preferably comprises support for multiple devices 192 for a user U, wherein a user logs 
on 18 to the system through any of a plurality devices 192, such as through a desktop 
computer 192a in an office, or through a mobile device 192b at any location. 

15 

While the user U may retain a similar identity while operating different devices, such as 
a work identity, the chosen services 138,116 and links 136,140 linked to the 
authentication records 132a, 132b may be chosen or selected as suitable for the device 
192. For example, an extended alert list 116c may be linked to a desktop computer 
20 1 92a, while ah abbreviated alert list 116c be linked to a mobile device 192b, such as a 
personal digital assistant 192b, or an Internet enabled cell phone 192b. Similarly, a 
wide variety of web site links 140 may be linked to a desktop computer 192a, while only 
a few key web site links 140 may be linked to a' mobile device 192b. 

25 While much of the identity 29, services 116, and/or core providers 118 may be shared 
between authentication records 132a, 132b in Figure 12, the authentication records 
132a,132b provide a customized operating environment for a user U, which is based on 
the device 192 from which the user U logs in 18. 

30 System Advantages. The Identity based service system 10 provides significant 
advantages over conventional identity and service structures. Through the 
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establishment of a system identity 29, a user U can quickly provide information as 
needed to system entities 27, while controlling how the information is distributed. The 
use of a secure and centralized identity structure provides controlled authentication and 
authorization of all system entities 27. 

5 

Through the use of detailed identity information, the identity based service system 10 
provides unique value-added services, such as fast sign-in 18, a customized personal 
network environment, and quick links 140 to existing and new associated web service 
providers 120. 

10 

System Operation. Figure 14 is a schematic view 190 of a user logging onto a first 
service provider site 120, wherein the user does not currently have a system identity 29. 
In the process of registering as a user at the site 120, the user typically establishes a 
user name 192 and password 194, and enters appropriate information to operate within 
15 the site 120, such as name, address, and/or credit information 96. 

Figure 15 is a second view 200 of operation for an identity based service system 10, 
wherein the user is asked if an identity based service system identity 174 is desired, to 
easily establish relationships with other providers 120, such as through selectable 
20 member site links 202, and/or to establish or manage system services 116, e.g. such as 
to establish a profile service 116b or a wallet service 116n, through selectable service 
links 204. 

Figure 16 is a third view 210 of operation for an identity based service system 10, in 
25 which a system identity 29 is established at an identity provider 14. The information 
gathered from the first site 120 is securely stored in the identity provider 14. The user U 
may easily chose one or more member site links 202 and/or service links 204, typically 
from an identity service selection screen 206. 

30 Although the identity based service system and its methods of use are described herein 
in connection with personal computers, mobile devices, and other microprocessor- 
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based devices, such as portable digital assistants or network enabled cell phones, the 
apparatus and techniques can be implemented for a wide variety of electronic devices 
and systems, or any combination thereof, as desired. 

5 As well, while the identity based service system and its methods of use are described 
herein in connection with interaction between a principal and a network through a 
device, the use of identity based services can be implemented for a wide variety of 
electronic devices and networks or any combination thereof, as desired. 

10 Accordingly, although the invention has been described in detail with reference to a 
particular preferred embodiment, persons possessing ordinary skill in the art to which 
this invention pertains will appreciate that various modifications and enhancements may 
be made without departing from the spirit and scope of the claims that follow. 

15 
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CLAIMS 

What is claimed is: 

5 1. An identity based service system, comprising: 

at least one principal comprising at least one identity comprising user information 
an identity provider for managing at least one identity for the principal, and for 
authenticating the principal; and 

a system entity which is accessible by the principal, based on an authentication 
10 of the principal by the identity provider, and based on retrieval of at least a portion of 
user information from the identity provider. 

2. The identity based service system of Claim 1 , further comprising: 

at least one core service associated with the system and related to at least a 
15 portion of the user inforrnation. 

3. The identity based service system of Claim 2, wherein the core service is accessible 
by the user, based on an authentication of the principal by the identity provider. 

20 4. The identity based service system of Claim 2, wherein the core service is accessible 
by the system entity, based on an authentication of the principal by the identity provider. 

5. The identity based service system of Claim 2, wherein the core service is associated 
with one or more core service providers. 

25 

6. The identity based service system of Claim 2, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 
and a wallet service, 
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7. The identity based service system of Claim 1, wherein the identity provider further 
comprises means for translating namespaces, such that a user identity of a principal in 
a first namespace is translatable to a user identity in a second namespace. 

5 8. The identity based service system of Claim 7, wherein the user identity in the second 
namespace is encrypted. 

9. The identity based service system of Claim 7, wherein the user identity in the second 
namespace is time-bound. 

10 

10. The identity based service system of Claim 1 , further comprising: 

at least one core authentication record associated with the identity, comprising 
any of services and links associated with the identity. 

15 1 1. An identity based service system, comprising: 

an identity module for managing an identity for a user; 

a discovery module associated with the identity module and adapted to receive a 
user name identifier and a service name associated with the user; 

means for discovering a service descriptor for the user, based on a received 
20 name identifier and a service name; and 

whereby at least one web service is accessible, based upon the discovered 
service descriptor and the name identifier. 

12. The identity based service system of Claim 1 1 , further comprising: 

25 at least one core service associated with the system and related to the user. 

13. The identity based service system of Claim 12, wherein the core service is 
accessible by the user, based on a system authentication of the principal at the identity 
module. 
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14. The identity based service system of Claim 12, wfierein the core service is 
accessible by a system entity, based on an authentication of the principal at the identity 
module. 

5 15. The identity based service system of Claim 12, wherein the core service is 
associated with one or more core service providers. 

16. The identity based service system of Claim 12, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 

10 and a wallet service. 

17. The identity based service system of Claim 11, wherein the identity module further 
comprises means for translating namespaces, such that a user identity of a principal in 
a first namespace is translatable to a user Identity in a second namespace. 

18. The identity based service system of Claim 17, wherein the user identity in the 
second namespace is encrypted. 

19. The identity based service system of Claim 17, wherein the user identity in the 
20 second namespace is time-bound. 

20. The identity based service system of Claim 1 , further comprising: 

at least one core authentication record associated with the identity, comprising 
any of services and links associated with the identity. 

25 

21. The system of Claim 11, wherein the principal is located at a device linked to the 
identity based service system. 

22. An identity based service process, comprising: 

30 providing an identity module for managing an identity for a user; 

receiving a user name identifier and a service name associated with the user; 
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discovering a service descriptor for tlie user, based on a received name identifier 
and a service name; and 

controllably authenticating access to a service, based upon the receipt of the 
discovered service descriptor and the name identifier. 

5 

23. The process of Claim 22, further comprising the step of: 

establishing at least one core service associated with the system and related to 
the user. 

10 24. The process of Claim 23, wherein the core service is accessible by the user, based 
on a system authentication of the principal at the identity module. 

25. The process of Claim 23, wherein the core service is accessible by a system entity, 
based on an authentication of the principal at the identity module. 

15 . 

26. The process of Claim 23, wherein the core service is associated with one or more 
core service providers. 

27. The process of Claim 23, wherein the core service comprises any of an 
20 authentication service, a profile service, an alert service, a calendar service, and a 

wallet service. 

28. The process of Claim 22, further comprising the step of: 

translating namespaces, such that a user identity of a principal in a first 
25 namespace is translated to a user identity in a second namespace. 

29. The process of Claim 28, further comprising the step of: 

encrypting the user identity in the second namespace. 



30 30. The process of Claim 22, wherein the user identity in the second namespace is 
time-bound. 
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31 . The process of Claim 22, further comprising the step of: 

associating at least one core authentication record with the identity, comprising 
any of services and links associated with the identity. 

32. A process, comprising the steps of: 

providing an identity provider networlted to a service having a service name; 

establishing an Identity at the identity provider for a principal, comprising 
information and a name identifier for a user; 

establishing a link between the principal and the service by the Identity provider, 
based upon a receipt of a name identifier and a service name. 
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Identity Based Service System 

ABSTRACT OF THE DISCLOSURE 

5 An identity based service system is provided, in wliicli an identity is created and 

managed for a user or principal, sucli tiiat at least a portion of the identity is 
available to use between one or more system entities. A discovery service 
enables a system entity to discover a service descriptor, given a service name 
and a name identifier of the user, whereby system entities can find and invoke 

10 the user's other personal web services. The discovery service preferably 

provides a translation between a plurality of namespaces, to prevent linkable 
identity information over time between system entities. 
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Thursday, July 17, 2003 



Re: AOL0091 Patent Draft *Comitients due ASAP! 



Page: 1 



Subject: Re: AOL0091 Patent Draft *Comments due ASAP! 
Date: Thu, 17 Jul 2003 13:53:06 -0400 
From; "David Wexelblat" <davidwexeIblat@aol.coin> 
Organization: America Online, Inc 

To: "Jessica Pallach" <jessica@glenn-law.coin> 

CC: "Conor Cahill" <ConCahi11@aol.coro>, edwinaold@aol.net j@thecameres.com, 
sicarrierc@hotmail.com 



Jessica Pallach wrote: 

Hi Conor, Edwin, David, and Jeromy, 

Further to our emails of May 22 and June 11, we are still awaiting your review comments and/or approval to file the 
above-referenced application. I've attached another copy of the application and figures for your convenience. 

Please make your final review (if you have not yet done so) and email your red-lined version, or approval to file, to 
me by Friday. Juh^ 18. 

I've been working on a firedrill for the last couple of months which isn't going to let up until at least the end of the 
month, so I haven't been able to do a detailed line-by-line review. I will try to send some more comments if I can, but the 
one big issue I have is that "core sen/ices" is defined as authentication, profile, wallet calendar and alerts. I think this is 
an overly-broad definition, one that would be susceptible to being implemented around (e.g. someone implements what 
we've described, but without calendar, it isn't the service as we've described). For what we are trying to define here, 
only authentication, and possibly profile, would be considered "core" and everything else applications on top of these 
core sen/ices. With the definition of "core authentication record" and "discovery service", I dont think profile Is even 
core. 

I think the ambiguity arose fi-om the set of services initially planned for Magic Carpet Network VI. Those sen/ices were 
core to business, not core to the technology or implementation thereof. 

Please also send me your full name, residence address, and country of citizenship. I need to prepare the fonnal 
documents and will email them to you for signatures 

David Eli Wexelblat 
1811 Vance Place 
Vienna, VA 22182 
Citizen of USA 

Please let me know if you have any questions. I look fbnward to hearing from you soon. 

Thanks! 

Jessica L. Pallach 

Patent Administrator / IP Database Manager 

Glenn Patent Group 
3475 Edison Way, Suite L 
Menlo Park, CA 94025 
650-474-8400 
650-474-8401 (Fax) 
je$$ica@glenn-|aw.gQm 



This message Is intended only for the individual to whom it is addressed and may contain Infbnnation that Is 
confidential, privileged, , or othenwise exempt from disclosure under applicable law. If you are not the individual to 
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^^^^ 

Date: Mon, 21 Jul 2003 07:54:27 -0700 OJ\M^^ \ 

om; Edwin Aoki <edwinaoki@aol.net> <^ "^^kftP * 

To: Jessica Pallach <jessica@glenn-law.com> rCQ^ 0^ 

CC: Conor Cahill <ConCahUi@aol.com> . (lavidwexelblat@aol.com. j@thecan-ieres.com. Qo)^ 
s|caniere@hotmail.cam ^Sr ^ 

1 



Tuesday, July 22. 2003 Re: AOlj009i Patent Draft •Comments due ASAP! 

Subject: Re: AOL0091 Patent Draft *Commeiits due ASAP! x Vy) V^lfel ' , 

From: Edwin Aoki <edwinaoki@aol.net> 



Jessica, 

I apologize for the delay; I was out of tovm for the past three weeks 



and am just now getting through the backlog of email. (Of course, I do 

requested) and others are some corrections to figure numbers based on my ^^f^ 



recognize that I've had this draft for longer than that) . I've included N,^ a. \\. 

redlines in the attached document i Some are clarifications (as (rip 



reading of the text. I would appreciate it if yu could attempt to ^"iO ► 

verify that I interpreted the text correctly in making the corrections; "TT-s'^'' ? ' ' 

this is not simple stuff, and it's been a while since we'd looked at xYd'^ )r \^ 

some of this system design. \ QfJiA^ 

Thanks again for your effort to make this understandable - or at least ' 
understandable to the folks over at the PTO. :-) '^'y^ LtV^ ^ 

Let me know if you have any further questions, 
-Edwin 

P.S. The information you asked for: 
Norihiro Edwin Aoki 

1296 Momingside Drive, Sunnyale, CA 94087-1555 
Citizen of the United States. 



Jessica Pallach wrote: 

> Hi Conor, Bdvdn, David, and Jeromy, 

> Further to our emails of May 22 and June 11, we are still awaiting 

> your review comments and/or approval to file the above-referenced 

> application. I've attached another copy of the application and figures 

> for your convenience. 

> Please make your final review (if you have not yet done so) and email 

> your red-lined version, or e^pproval to file, to me by *_Friday, July 

> 18. _* 

> Please also send me your full name, residence address, and country of 

> citizenship. I need to prepare the fonaal documents and will email 

> them to you for signatures 

> Please let me know if you have any questions. I look forward to 

> hearing from you soon, 
> 

> Thanks! 

> — 

> Jessica L. Pallach 

> Patent Administrator / IP Database Manager 

> Glenn Patent Group 

> 34 75 Edison my. Suite L 

> Menlo Park, CA 94025 

> 650-474-8400 
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IDENTITY BASED SERVICE SYSTEM 



FIELD OF THE INVENTION 

5 

The invention relates to the field of network based services and structures. More 
particularly, the invention relates to identity creation, management, authentication, and 
authorization structures for enhanced network services. 

10 BACKGROUND OF THE INVENTION 

At the present time, the identity of an individual or user in a network environment, such 
as the Internet, is comprised of a large number of pieces of information, which is 
collected and recollected by a large number of entities. Some basic information 

15 regarding an individual, such as but not limited to name Information, address 
information, identification information, financial information, profile information, and or 
preference information, is repeatedly collected and stored at a large number of system 
entities. Additional information, such as a user name and password, is created, as 
necessary, such that the individual or user can sign on and/or gain access to a service 

20 provider. 

A large number of pieces of an individual's business and personal identity are therefore 
scattered across an increasing number of system entities, such as but not limited to 
commercial entities, banking and investment institutions, credit card companies, service 
25 providers, and/or educational institutions. 

Individuals are therefore required to repeatedly enter much of the same information, in 
the process of numerous professional and/or personal endeavors. Furthermore, as the 
information for an individual changes, the stored information becomes increasingly 
30 impractical to manage and/or update. In addition, the numerous user names and 
passwords associated with an individual quickly becomes unwieldy, such that users 
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often forget or lose track of the information they need to access services and/or 
accounts. 

Several structures and methods have been described for identity and proxy-based 
5 networks, such as: 

E. Gabber, P. Gibbons, Y. Matias, and A. Mayer, System and Method for Providing 
Anonymous Personalized Browsing by a Proxy System in a Network, U.S. Pat. No. 
5,961,593, 05 October 1999, describes a system "For use with a network having server 

10 sites capable of being browsed by users based on identifiers received into the server 
sites and personal to the users, alternative proxy systems for providing substitute 
identifiers to the server sites that allow the users to browse the server sites 
anonymously via the proxy system. A central proxy system includes computer- 
executable routines that process site-specific substitute identifiers constructed from 

15 data specific to the users, that transmits the substitute identifiers to the server sites, that 
retransmits browsing commands received from the users to the server sites, and that 
removes portions of the browsing commands that would identify the users to the server 
sites. The foregoing functionality is performed consistently by the central proxy system 
during subsequent visits to a given server site as the same site specific substitute 

20 identifiers are reused. Consistent use of the site specific substitute identifiers enables 
the server site to recognize a returning user and, possibly, provide personalized 
service"; 

Proxy-Based Security Protocols in Networl<ed Mobile Devices; M. Burnside, D. Clarke, 
25 T. Mills, S. Devadas, and R. Rivest; MIT Laboratory for Computer Science; 
event,declarke,mills,devada,rivest@mit.edu; 



SPKl/SDSI t)ttp Server / Certificate Cliain Discovery in SPKI/SDDi; D. Clarke; MIT 
Laboratory for Electrical Engineering and Computer Science, September 2001 ; 

30 • 
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Grid Information Services for Distributed Resource Sharing; K. Czajkowski, S. 
Fitzgerald, I. Foster, C. Kesselman; Proc. 10*" IEEE Symposium on High-Performance 
Distributed Computing, 2001; 

5 Certificate Discovery Using SPKI/SDSI 2.0 Certificates; J. Elien; MIT Department of 
Electrical Engineering and Computer Science; May 1998; and 

Local Names in SPKI/SDSI; N. Li; NYU Department of Computer Science; Proceedings 
of the 13**^ IEEE Computer Security Foundations Workshop. 

10 

Other systems provide various details of the operation of network identity and proxy 
systems, such as U.S. Patent No. 6,460,036, System and Methiod for Providing 
Customized Electronic Newspapers and Target Advertisements; U.S. Patent No. 
6,029,195, System for Customized Electronic Identification of Desirable Objects; U.S. 

15 Patent No. 5,835,087, System for Generation of Object Profiles for a System for 
Customized Electronic Identification of Desirable Objects; U.S. Patent No. 5,754,939, 
System for Generation of User Profiles for a System for Customized Electronic 
Identification of Desirable Objects; U.S. Patent No. 5,754,938, Pseudonymous Server 
for System for Customized Electronic Identification of Desirable Objects; U.S. Patent 

20 No. 6,490,620, Integrated Proxy Interface for Web Based Alanv Management Tools; 
U.S. Patent No. 6,480,885, Dynamically Matching Users for Group Communications 
Based on a Threshold Degree of Matching of Sender and Recipient Predetermined 
Acceptance Criteria; U.S. Patent No. 6,473,407, Integrated Proxy Interface for Web 
Based Alarm management Tools; U.S. Patent No. 6,421,733, System for Dynamically 

25 Transcoding Data Transmitted Between Computers; U.S. Patent No. 6,385,652, 
Customer Access Solutions Architecture; U.S. Patent No. 6,373,817, Chase Me 
System; U.S. Patent No. 6,338,064, Method for Enabling a Web Server Running a 
"Closed" Native Operating System to Impersonate a User of a Web Client to Obtain a 
Protected File; U.S. Patent No. 6,259,782, One-Number Communications System and 

30 Service Integrating Wireline/Wireless Telephone Communications Systems; U.S. Patent 
No. 5,974,566, Method and Apparatus for Providing Persistent Fault-Tolerant Proxy 
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Login to a Web-Based Distributed File Service; European Pat. No. EP 1094404, 
Collaborator Discovery Mettiod and System; European Pat. No. EP 1031206, Identity 
Discovery method for Detecting Authorized Security Service Which is Illicitly 
Transferring Decoding Capabilities for use in Unauthorized Security Devices; The 
5 Session Initiation Protocol: Internet-Centric Signaling; H. Schulzrinne, J. Rosenberg; 
IEEE Communications Magazine; October 2000; How Bluetooth Embeds in the 
Environment, Lawday, G.; Electronic Product Design; Nov. 2001; and Business: 
Designing with Users in Internet Time; J. Braiterman, S. Verhage, and R. Choo; 
Interactions: Sept.-Oct. 2000. 

10 

It would be advantageous to provide an identity based service system, wliichi does not 
require a user to create a user identity for each service provider. Tiie development of 
such an identity based service system would constitute a major technological advance. 

15 Furthermore, it would be advantageous to provide a identity based service system, 
which allows a user to create a an identity which can be controllably accessed and 
shared by a plurality of service providers. The development of such an identity based 
service system would constitute a further technological advance. 

20 As well, it would be advantageous that such an identity based service system be 
integrated with existing site authentication and authorization structures, such that the 
identity based service system is readily used by a wide variety of sites. The 
development of such an identity based service system would constitute a further major 
technological advance. 

25 

SUMMARY OF THE INVENTION 

An identity based service system is provided, in which an identity is created and 
managed for a user or principal, such that at least a portion of the identity is available to 
30 use between one or more system entities. A discovery service enables a system entity 
to discover a service descriptor, given a service name and a name identifier of the user, 
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whereby system entities can find and involve tlie user's other personal web services. 
The discovery service preferably provides a translation between a plurality of 
namespaces, to prevent linkable identity information over time between system entities. 

5 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a basic functional block diagram for an identity based service system, in 
which a service provider accesses services for a principal; 

10 Figure 2 is a flow diagram for the access of service within an identity based service 

system; 

Figure 3 is a functional block diagram of an identity based service system, comprising a 
discovery service associated with an identity provider, a web service provider, and a 
15 web service consumer; 

Figure 4 is a flow diagram for the access of service within an identity based service 
system comprising a discovery service associated with an identity provider, a web 
service provider, and a web service consumer; 

20 

Figure 5 is a functional block diagram of an identity based service system, in which a 
discovery service issues service assertions that are used to invoke services; 

Figure 6 is a flow diagram for the access of service in the identity based service system 
25 shown in Figure 5; 

Figure 7 is a functional block diagram of profile service principal core information; 

Figure 8 is a functional block diagram of a profile data entry; 

30 
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Figure 9 is a schematic view of an identity based service system configured on a virtual 
network; 

Figure 1 0 is a functional block diagram of a core authentication record; 

5 

Figure 1 1 is a functional block diagram of multiple core authentication records which are 
maintained on behalf of a plurality of identities for a user; 

Figure 12 is a functional block diagram of multiple core authentication records 
10 maintained on behalf of a user, based upon system access through different devices; 

Figure 13 is a schematic view of namespace translation within the identity based 
service system; 

15 Figure 14 is a first schematic view of operation for an identity based service system, in 
which user logs onto a first service provider site; 

Figure 15 is a second view of operation for an identity based service system, wherein a 
users may select system site links and/or system service links; and 

20 

Figure 16 is a third view of operation for an identity based service system, in which a 
system identity is established at an identity provider. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

25 

Figure 1 is a basic functional block diagram for an identity based service system 10a, in 
which a service provider 16 accesses services for a principal 12. Figure 2 is a flow 
diagram 30 for the access of service within an identity based service system 10. In 
Figure 1, the system entities 27 comprise an identity provider 14, a service provider 16, 
30 and a principal 12. The system entities 27 assume roles within the identity based 
service system 10. 
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A principal 12, such as a user or user agent, is an entity 27 that can acquire a system 
identity 29, and be authenticated and vouched for 19 by an identity provider 14. A 
principal 12 often comprises a user, using a user agent, either a web browser or a 
5 smart web services client. 

An identity provider (IDP) 14 authenticates and vouches for principals 12, and provides 
system management for system identities 29. A service provider (SP) 16 provides 
service to one or more requestors, such as principals 12, typically through a web 
10 consumer 48 (Fig. 3), upon proof of authentication 1 9 by the identity provider 14. 

The identity based service system 10a shown in Figure 1 provides a web services- 
based service infrastructure that enables users U to manage the sharing of their 
personal information across an identity provider 14 and service providers 16. In some 
15 system embodiments 10, the system 10 also provides personalized services 116 (FIG. 
9) for users U (FIG. 11). 

For example, a user U, through a principal 12, is able to authorize a service provider 16 
to access his or her contact data 94a (FIG. 7), such as shipping address data 96 (FIG. 

20 7), while processing a transaction. Principals 12 are able to use sophisticated clients 
that support web services, in addition to traditional browser-oriented user agents. In 
some system embodiments, web services are defined as simple object access protocol 
binding (SOAP) over http calls, comprising header blocks and processing rules, which 
enable the system to invocation identity services 116, through SOAP requests and 

25 responses. 

The identity based system framework 10 enables service providers 16 and other 
system entities 27 to craft and offer sophisticated services, including multi-provider- 
based services 116 (FIG. 9). 
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Figure 3 is a functional blocl< diagram 40 of an identity based service system 10b, which 
further comprises a discovery service 42 associated with the identity provider 14, a web 
service provider 42, and a web service consumer 48. Figure 4 is a flow diagram 60 for 
the access of service within an identity based service system 10b. 

5 

A web service provider (WSP) 54 hosts personal web services 116 (FIG. 9), such as a 
profile service 116b (FIG. 9), while a web service consumer (WSC) 48 invokes web 
services 116 at web service providers WSP 54. With appropriate identification and 
authorization, a web service consumer 48 is able to access the user's personal web 
10 services 1 1 6, by communicating with the web service provider endpoint 54. 

As seen in Figure 3, the identity provider IDP 14 provides authentication 19 to the 
principal 12, based upon a successful log in 18. The principal 12 then interacts with the 
service provider 16, and relays the authentication information 19, comprising an IDP 
15 assertion 45 and a discovery service descriptor 26. 

The service provider SP 16, acting as a web service consumer 48, uses the discovery 
service 42, to determine whether the principal 14 is enabled for a particular service 116, 
and to obtain the necessary assertions which authorize use of the service 116. The 
20 policy framework addresses whether the principal 12 is enabled for some particular 
service, and if so, what fine-grained methods are allowed, and what data is to be 
returned. Web service security is typically applied to all messages flowing between 
system entities 27. . 

25 As seen in Figure 3, the identity based service system 10b comprises a web-service 
infrastructure, which comprises the discovery service 42, service invocation 52, a 
permission and authorization framework, a change management framework, as well as 
a mobile infrastructure. 
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In some system embodiments 10, web service consumers 48 are liosted on a server at 
a service provider 54. In alternate system embodiments 10, web service consumers 48 
are hosted on a user device 192 (FIG. 14). 

5 A discovery device (DS) 44 is typically hosted by an identity provider (IDP) 14, and 
enables web service consumers 48 to discover service endpoint information 96 (FIG. 7) 
associated with the personal web services 1 16 of a user U. 

Architectural Components. The identity based service system 10 comprises the 
10 following architectural components: 

Services. A service is a grouping of common functionality. For example, a core 
profile service 116b (FIG. 9) handles all interaction to do with user profile 
information 96. Services typically offer one or more methods callers use to 
15 manipulate the information managed by the service, and are typically scoped in 

the context of a particular principal 12, e.g. GetProfile (Principal) accesses the 
principal's entire set of profile data. 

Services may be either RPC-style or one-way exchanges. In RPC-based 
20 exchanges, the Web Services Consumer 48 is the requestor 50, and the Web 

Services Provider 54 is the responder 51 . 

Schemas. Schemas describe the syntax and relationships of data. Each 
service element 116 comprises an associated schema for the data that is 
25 relevant to the service element 116. For example, the profile service 116b 

comprises schema elements 96 which are relevant to a profile 94, such as but 
not limited to a name, an address, and a phone number for a user U. 

System Entity Roles. System Entities may assume one or more roles. 
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As seen in Figure 3, service descriptors 26 are used to locate a system service 54, 
while service assertions 28 are used as credentials, to access the system service 54. A 
service descriptor 26 typically describes a SOAP endpoint for an identity based system 
service 54. A service assertion 28 is an assertion used as a credential to access an 
5 identity based system service 54. 

Discovery Service Overview. In the identity based service system 10, the personal 
web services 116 for a user U are preferably distributed across multiple web service 
providers 54. Therefore, web service consumers 48 comprise a means for discovering 
10 service locations 54. The discovery device 42 is a personal web service which enables 
system entities 27 to discover a service descriptor 26, given a service name and a 
user's name identifier 174 (FIG. 13), whereby a web service consumer 48 is able to find 
and invoke the web services 54 of a user U. 

15 Figure 5 is a functional block diagram 70 of an identity based service system 10, in 
which a discovery service 42 issues service assertions 28 that are used to invoke 
services 54. Figure 6 is a flow diagram 80 for the access of service 54. 

Because of the pseudonymous identity of users in the identity based service system 10, 
20 web service consumers 48 and web service providers 54 do not have a common name 
for a user U. The identity provider 14 of a user U is the system entity 27 that maps 
between the disparate namespaces 176,182 (FIG. 13). As seen in Figure 13, the 
discovery service 42, which is hosted by the identity provider 14, provides this 
namespace translation. 

25 

The web service consumer 48 prompts the name translation service, by sending the 
user's name 174a in the WSC-IDP namespace 176, to the identity provider 14. The 
identity provider 14 hands back a user name 174b in the WSP-IDP namespace 182, 
within a format that the web service consumer 48 is blinded to this name, via encryption 
30 184. The encrypted value 184 of the name 174b is preferably different each time the 
name 174a,174b is used, such that there is no linkable identity information over time 
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between the web service consumer 48 and the web service provider 54. This name 
translation assertion 28 is also preferably time-bound, to prevent long-term use of a 
translated name 174b, and to prevent linking of the actions of a principal 12. 

5 In the identity based service system 10, the user's identity provider 14 always hosts the 
discovery service 42, since the discovery service M-42 must be aware of the pair-wise 
identifier relationships 174a, 174b between parties 27. 

In response to a discovery request, the service §4-42 returns 52 a service descriptor 26 
10 that points to a particular web service provider 54. Additionally, a translated name 174b 
and relevant security tokens 186 (FIG. 13) are typically included as well. Some 
discovery services §4— 42 enforce user presence requirements on web service 
consumers 48, and/or enforce one or more authorization rules on each web service 
consumer 48. 

15 

The discovery service §4-42 also provides an administrative interface, whereby a set of 
services 116 for a user can be configured. Services may be registered and 
unregistered. (***Please clarify these features as needed***) 

20 Profile Service. Figure 7 is a functional block diagram 90 of profile service 1 16b (FIG. 
9) principal core information 92. A profile service 90 manages the core personal 
information 92 for a principal 12. The core personal information 92 typically comprises 
a plurality of data types 94a-94n, such as contact data 94a, demographic data 94b, 
and/or core preferences 94n. 

25 

A profile service 116 (FIG. 9) allows principals 12 to create a profile 92, to update 
profile data 94a-94n, and to specify privacy controls 98. Once a user creates a profile 
92, the profile 92 can be used at any of the system web service consumer 48 sites, 
such that principals 12 are not required to re-enter data, such as on a registration form. 

30 
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Figure 8 is a functional block diagram of a profile data entry. Each profile data entry 96 
is typically associated with a collection of metadata 107, syeh-a sincluding, but not 
limited to data categories 102, change timestamp information 104, data validation 
information 106, and/or creator information_1 08. 

5 ■ 

Data category information 102 allows information to be classified as applicable, such as 
to define a home or business profile. For example, an address can be classified as a 
home and/or a business address. Data categories 102 are typically defined by web 
service providers 54, by web service consumers 48, and/or by principals 12. 

Change timestamps information 104 typically comprises a number 105, e.g. 105a, 
which represents the latest modification time of a particular node and associated 
descendants. 

15 Data validation information 106 comprises an indication of whether the data content 94 
has been validated or not. If the data content 94 is validated, the information may 

preferably comprise what type of validation was performed, and when the validation 
was performed. A web service consumer 48 typically uses metadata 107. 

20 Figure 9 is a schematic view 110 of an identity based service system 10 configured on 
a virtual network 112. The virtual network 112, provides a single set 114 of services 
116a-116n, which are provided by one or more contributors 118a-118j. The virtual 
network 112 formed within the identity based service system 10 provides one or more 
core services 116, such as an authentication service 116a, a profile service 116b, an 

25 alert service 116c, and/or a wallet service 116n. The identity based service system 10 
also supports other value-added services 116 for a user, such as a calendar service 
and/or an address book service. The identity based service system 10 provides access 
for a wide variety of web consumer sites 120a-120k, such as large and small business 
sites 120a, 120k. 

30 (120k appears to be cut off in the diagrams: I'm assuming this is the line out of "small 
retail"? 
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As seen in Figure 9, service consumers 48 comprise sites which use services 116 from 
the network 112. As seen through a site 120, the services 116 presented by the virtual 
network 112 preferably look like a single set 114 of services 116, i.e. from a single 
5 provider 1 1 8 of services, even though the services are typically provided by any number 
of contributors 1 1 8a-1 1 8j. 

The core service provider 118b shown in Figure 9 provides all of the core services 
116a-116n on the virtual network 112. While some basic services, such as a profile 
10 service, are currently available through some Internet providers, such services are 
separate and distinct. In the identity based service system 10, the various services 
1 16a-1 16n are aware of each other and of the virtual network 112 

As seen in Figure 9, the identity based service system 10 preferably comprises a 
15 plurality of service contributors, i.e. vendors 118a-118j. While different 118 vendors 
typically contribute different sets of varying services 116, the source of a service 116 is 
typically transparent to users U as they interact with the recipient sites 120. 

Levels of Trust and Integration. The identity based service system 10 preferably 
20 provides varying levels of trust and integration. For example, as seen in Figure 9, a 
small retail site 120k typically comprises a low level of trust, such that a user U is 
typically asked to confirm transactions, through redirect exchanges with the system 10. 

A larger site 120, such as a large retail site 120a or an auction site 120b, which is 
25 integrated with the network 112 and is able to perform tasks on behalf of the user U, 
e.g. get money from a wallet 1 16n, typically has a higher level of trust with the system 
10. 

Core service providers 118, such as providers 118a-118j of core services 116, typically 
30 have a high level of trust with the system 10, and are able to perform system functions 
on behalf of a user U. In addition, core service providers 118 which provide 
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authentication 116a have the highest level of service requirements, and inherently 
require the highest level of trust within the system 10. 

Service Invocation. In order to enable interactions between multiple endpoints within 
5 a circle of trust, the discovery service 54 issues service assertions 28 (FIG. 3, FIG. 5) 
that can be used by service consumers 48, such as to access other service providers 
54. 

In some embodiments of the identity based service system 10, messages can be 
10 routed and be transported through multiple hops. Additionally, message-level 
confidentiality is employed for sensitive data in multi-hop cases where confidentiality is 
required. 

The target service provider 54 does not simply consume the service assertion 28. 
15 Relevant policy is enforced to ensure that the service invocation is in line with the 
principal's policies. 

Authentication. Most system services require requester authentication. Additionally, 
the response is authenticated. For example, a user authentication comprises a 
20 determination of the identity 29 of a user U. Online authentication can take many forms, 
such as a stored browser cookie, a user name/password combination, or stronger 
technologies such as smart cards or biometric devices. 

In the identity based service system 10, the user's identity 29 is authenticated, in 
25 accordance with privacy and security policies . The evidence of authentication for a 
user U comprises the user identity 29, in addition to guarantees of authentication. The 
evidence of authentication for a user U refers to stored and/or passed data that 
indicates that a user is authenticated, and which can be interrogated to verify the 
authentication. 

30 
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As an example, web sites often user a stored cookie to provide personalization 
information about their site for the user. However, for e-commerce transactions, that 
same web site will often require the user to explicitiv suppiv a user ID and password. 
Both are authentications, but the ID/password is stronger than the stored cookie. This 
s allows the site to balance user convenience with its security policies, as needed. 

System Authorization. While user authentication determines the identity 29 of the 
user U, authorization is the process of determining what an authenticated user U is 
allowed to do, and the determination any services and/or entities 27 which are allowed 
10 to act on behalf of the user U. 

For example, a web site that provides access to bank account information may be 
configured to allow on Iv t he primary account holder to transfer funds to/from the 
account, but allow all members of the family to view the current account balance. While 
15 each user U is authenticated, only one user U is able to perform authorized activities. 

Another example would be that of a network payment service (or smart wallet) 11 6n 
(FIG. 9, FIG. 10), which contains credit card information and/or cash account 
information 118. A user U of a wallet service 116n can controiiabiy authorize a web 
20 sft eservice provider 54 to access credit card information and/or cash account 
information. In this case, the user U is authenticated, and authorized to control the 
payment service, while the web s i t e service provider is also authenticated, but 
authorized only to access the credit card information. 

25 As shown above, some embodiments of the identity based service system 10 feature a 
delegation of authorization, wherein a user U is not required too navigate to a payment 
site to authorize a transaction. For example, while a user U shops at a web site 120, 
during a checkout process, a system enabled web site 120 may access the 
payment/wallet service 116n, on behalf of the user U, wherein the user has delegated 

30 authorization to the web site to act on his behalf with the payment service 1 16n. 
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User Identity. In the identity based service system 10, the identity 29 of a user U 
comprises a persona for that user. As seen in Figure 10, a user U can preferably have 
more than one identity 29. For example, a user U can have one identity 29 for personal 
information, another for business information, and a third identity for "anonymous" web 
5 access. 

(The notion of an "authentication record" is introduced for the first time in the paragraph 
following: does it need additional description? A: I see it's below: should it be 
referenced here?) 

The use of multiple identities 29 allows users U to store relevant information associated 
10 with each identity 29, and use or expose the information only as needed. For example, 
as seen in Figure 110, while "Financial Entity A" corporate credit card information 118j 
associated with a business identity 29 and work authentication record 132a is located in 
the wallet 116n, the "Financial Entity A" corporate credit card information 118j is not 
located in the wallet 116n associated with the home or personal authentication record 
15 132b 

Similarly, an "anonymous" identity 29 would typically comprise no personally-identifiable 
information, enabling use of that identity 29 in appropriate situations. 

20 Scopes of Authentication. Network authentication occurs when a user's evidence-of- 
authentication (is this 19b?) are issued by a network authentication service 116a (FIG. 
10), and enables a user U to access sites and services on the network 112. This 
enables single-sign on features, wherein all network participants acqept network 
evidence-of-authentication, in accordance with their own site policies, e.g. level of 

25 authentication required, and in accordance with user opt-in choices. 

In addition, a local authentication may occur, such as when evidence of authentication 
for a user U is issued by a local site/service, using its own authentication facilities, 
wherein the evidence of authentication is only valid for that specific site or service. A 
30 local authentication does not inherently carry with the user U from one site to another, 
and does not allow the site /service to access network services on behalf of the user U. 
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Some embodiments of the identity based service system 19 provide both forms of 
authentication, whereby the system 10 can be integrated with sites that already have an 
authentication system. 

5 

Requester identity, such as that of a web consumer 48, is established by the inclusion 
of a security token 186 (FIG. 13), which represents the identity of the requestor, and the 
signing of relevant portions of the message with the key material implied by the security 
token 186. The security token 186 may be an X.509 certificate, a Kerberos ticket, an 
10 SAML assertion, a username & associated password, or any other valid security token 
186, as deemed necessary by the web service provider 54. Additionally, a replay 
protection is preferably employed, such as a nonce-based challenge-response protocol, 
a timestamp included in the signature, or other replay protection mechanism. 

15 The responder's identity can be authenticated, such as by validating that the signature 
of the response (containing the original RequestID) is signed. 

Long-Lived Access to Services. In some alternate system embodiments 10, 
pursuant to the approval of a user U, the discovery service %A-42 assures long-lived 
20 service assertions to a web service consumer 48, such that the web service consumer 
48 can repeatedly invoke a service , at the web service provider 54. Continual 
acceptance of the service assertion 28 at the web service provider 54 is dependent on 
user approval of continued access of the service at the web service provider 54. 

25 However, in system embodiments 10 wherein revocation is desired to be controlled by 
the id e ntifi e d identity provider 14 and associated discovery service §442, the discovery 
service €4- 42 p revents long-lived service assertions to a web service consumer 48. 
(***Clarify as needed***) 

30 Service infrastructure. While current system embodiments 10 comprise a profile 
service (PS) 116 (FIG. 9), the identity based service system 10b preferably comprises a 
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complete services infrastructure, such that the profile service 116, as well as other 
services, may be built on top of web service standards. 

For example, the infrastructure is typically accessible via SOAP over http calls, as 
5 defined by WSDL descriptions, and use agreed-upon schemas, such that the web 
services infrastructure transparently supports both static and dynamic data. An 
example of static data is a basic profiling service that returns an e-mail address. An 
example of dynamic data is that of an infrastructure served by a calendar service, which 
return calendar appointments. 

10 

S fi rvir. e s th e ms el v e s ar e r e latively coars e- grained (***P l oase c l arify***) Services. which 
for example mav include a user's profile 116b. wallet 116n or calendars/alerts 116c, 
tvpicallv are composed of a set of logicallv related functionality , conta i n i ng and contain 
collections of attributes and service calls ^, ouch as a user's prof i le 116b, wa l let 116n, or 
15 ca l ondar/a l orts 116c. 

Core Authentication Records. Figure 10 is a functional block diagram of a core 
authentication record (CAR) 132, which is maintained on behalf of a user U, such as by 
the BAA -ldentitv Provider 14 (F!G. XX) r**ls th i s shown?***) . The core authentication 

20 record 132 comprises links 136,140 to sites 120a-120k which are associated through 
the identity based service system 10. The core authentication record 132 is also linked 
to an ACL or other access control mechanism 134 (***Please describe as needed***), 
and to services 138, such as core services 116, as provided by core service providers 
118 . or other web services (not shown) operating within the identity based service 

25 system 10 . 

Figure 1 1 is a functional block diagram of multiple core authentication records (CAR) 
132a, 132b, which are maintained on behalf of a user U. Some preferred embodiments 
identity based service system 10 comprise support for multiple identities, i.e. 
30 personifications or personas, for a user U, wherein a user may interact differently, such 
as within different environments. 
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For example, users U often look at their work personification as different and distinct 
from their home personification, with different sites 120 visited, different credit cards 
1 16n, and sometimes even different alert mechanisms 1 16c. 

5 

As seen in Figure 11, multiple core authentication records (CAR) 132a, 132b are 
preferably supported by the identity based service system 10, whereby a user U 
selectively logs in 18 to one or more core authentication records 132. 

10 The links 136 also preferably include quick-links 140 between accounts 132. Once as 
user U logs in 18 to either account 132, they can switch between the accounts 132, e.g. 
from 132a to 132b, on an as needed or as desired basis, without logging in 18 again. 
For example, as seen in Figure 11, a user U within a work authentication record 132a 
can link 140d to the associated home authentication record 132b for the user U. 

15 Similarly, the user U within a home authentication record 132b can link 140g to the 
associated work authentication record 132a for the user U. 

Figure 12 is a functional block diagram 160 of multiple core authentication records 
(CAR) 132a, 132b, which are maintained on behalf of a user U, based upon the use of 
20 different devices 192a, 192b (FIG. 14). The identity based service system 10 also 
preferably comprises support for multiple devices 192 for a user U, wherein a user logs 
on 18 to the system through any of a plurality devices 192, such as through a desktop 
computer 192a in an office, or through a mobile device 192b at any location. 

25 While the user U may retain a similar identity while operating different devices, such as 
a work identity, the chosen services 138,116 and links 136,140 linked to the 
authentication records 132a, 132b may be chosen or selected as suitable for the device 
192. For example, an extended alert list 116c may be linked to a desktop computer 
192a, while an abbreviated alert list 116c be linked to a mobile device 192b, such as a 

30 personal digital assistant 192b, or an Internet enabled cell phone 192b. Similarly, a 
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wide variety of web site links 140 may be linked to a desktop computer 192a, while only 
a few key web site links 140 may be linked to a mobile device 1 92b. 

While much of the identity 29, services 116, and/or core providers 118 may be shared 
5 between authentication records 132a, 132b in Figure 12, the authentication records 
132a, 132b provide a customized operating environment for a user U, which is based on 
the device 192 from which the user U logs in 18. 

System Advantages. The Identity based service system 10 provides significant 
10 advantages over conventional identity and service structures. Through the 
establishment of a system identity 29, a user U can quickly provide information as 
needed to system entities 27, while controlling how the information is distributed. The 
use of a secure and centralized identity structure provides controlled authentication and 
authorization of all system entities 27. 

15 

Through the use of detailed identity information, the identity based service system 10 
provides unique value-added services, such as fast sign-in 18, a customized personal 
network environment, and quick links 140 to existing and new associated web service 
providers 120. 

20 

System Operation. Figure 14 is a schematic view 190 of a user logging onto a first 
service provider site 120, wherein the user does not currently have a system identity 29. 
In the process of registering as a user at the site 120, the user typically establishes a 
user name 4-93- 196 and password 404198. and enters appropriate information to 
25 operate within the site 120, such as name, address, and/or credit information 96. 

Figure 15 is a second view 200 of operation for an identity based service system 10, 
wherein the user is asked if an identity based service system identity 174 is desired, to 
easily establish relationships with other providers 120, such as through selectable 
30 member site links 202, and/or to establish or manage system services 116, e.g. such as 
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to establish a profile service 116b or a wallet service 116n, through selectable service 
links 204. 

Figure 16 is a third view 210 of operation for an identity based service system 10, in 
5 which a system identity 29 is established at an identity provider 14. The information 
gathered from the first site 120 is securely stored in the identity provider 14. The user U 
may easily chose one or more member site links 202 and/or service links 204, typically 
from an identity service selection screen 206. 

10 Although the identity based service system and its methods of use are described herein 
in connection with personal computers, mobile devices, and other microprocessor- 
based devices, such as portable digital assistants or network enabled cell phones, the 
apparatus and techniques can be Implemented for a wide variety of electronic devices 
and systems, or any combination thereof, as desired. 

As well, while the identity based service system and its methods of use are described 
herein in connection with interaction between a principal and a network through a 
device, the use of identity based services can be implemented for a wide variety of 
electronic devices and networks or any combination thereof, as desired. 

20 

Accordingly, although the invention has been described in detail with reference to a 
particular preferred embodiment, persons possessing ordinary skill in the art to which 
this invention pertains will appreciate that various modifications and enhancements may 
be made without departing from the spirit and scope of the claims that follow. 

25 

Other comments from David Wexelblat 

the one big issue I have is that "core services" is defined as authentication, profile, 
wallet calendar and alerts. I think this is an overly-broad definition, one that would be 
susceptible to being implemented around (e.g. someone implements what we've 
30 described, but without calendar, it isn't the service as we've described). For what we are 
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trying to define here, only authentication, and possibly profile, would be considered 
"core" and everything else applications on top of these core services. With the definition 
of "core authentication record" and "discovery service". I don't think profile is even core. 

I thinl< the ambiguity arose from the set of services initially planned for Maqic Carpet 
5 Network V1. Those services were core to business, not core to the technology or 
implementation thereof. 
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CLAIMS 

What is claimed is: 

5 1. An identity based service system, comprising: 

at least one principal comprising at least one identity comprising user information 
an identity provider for managing at least one identity for the principal, and for 
authenticating the principal; and 

a system entity which is accessible by the principal, based on an authentication 
10 of the principal by the identity provider, and based on retrieval of at least a portion of 
user information from the identity provider. 

2. The identity based service system of Claim 1, further comprising: 

at least one core service associated with the system and related to at least a 
15 portion of the user information. 

3. The identity based service system of Claim 2, wherein the core service is accessible 
by the user, based on an authentication of the principal by the identity provider. 

20 4. The identity based service system of Claim 2, wherein the coriB service is accessible 
by the system entity, based on an authentication of the principal by the identity provider. 

5. The identity based service system of Claim 2, wherein the core service is associated 
with one or more core service providers. 

25 

6. The Identity based service system of Claim 2, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 
and a wallet service. 
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7. The identity based service system of Claim 1 , wherein the identity provider further 
comprises means for translating namespaces, such that a user identity of a principal in 
a first namespace is translatable to a user identity in a second namespace. 

5 8. The identity based service system of Claim 7, wherein the user identity in the second 
namespace is encrypted. 

9. The identity based service system of Claim 7, wherein the user identity in the second 
namespace is time-bound. 

10 

1 0. The identity based service system of Claim 1 , further comprising: 

at least one core authentication record associated with the identity, comprising 
any of services and links associated with the identity. 

15 1 1 . An identity based service system, comprising: 

an identity module for managing an identity for a user; 

a discovery module associated with the identity module and adapted to receive a 
user name Identifier associated with the user and a service name associ a t e d wit h the 
yse f known to the svstem : 
20 means for discovering a service descriptor for the user, based on a received 

name identifier and a service name; and 

whereby at least one web service is accessible, based upon the discovered 
service descriptor and the name identifier. 



25 12. The Identity based service system of Claim 1 1 , further comprising: 

at least one core service associated with the system and related to the user. 

13. The identity based service system of Claim 12, wherein the core service is 
accessible by the user, based on a system authentication of the principal at the identity 
30 module. 
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14. The identity based service system of Claim 12, wherein the core service is 
accessible by a system entity, based on an authentication of the principal at the identity 
module. 

5 15. The identity based service system of Claim 12, wherein the core service is 
associated with one or more core service providers. 

16. The identity based service system of Claim 12, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 

10 and a wallet service. 

17. The identity based service system of Claim 11, wherein the identity module further 
comprises means for translating namespaces, such that a user identity of a principal in 
a first namespace is translatable to a user identity in a second namespace. 

15 

18. The identity based service system of Claim 17, wherein the user identity in the 
second namespace is encrypted. 

19. The identity based service system of Claim 17, wherein the user identity in the 
20 second namespace is time-bound. 

20. The identity based service system of Claim 1 (is this claim 1 or claim 11?) . further 
comprising: 

at least one core authentication record associated with the identity, comprising 
25 any of services and links associated with the identity. 

21. The system of Claim 11, wherein the principal is located at a device linked to the 
identity based service system. 

30 22. An identity based service process, comprising: 

providing an identity module for managing an identity for a user; 
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receiving a user name identifier associated with the user and a service name 



discovering a service descriptor for the user, based on a received name identifier 
and a service name; and 

controllably authenticating access to a service, based upon the receipt of the 
discovered service descriptor and the name identifier. 

23. The process of Claim 22, further comprising the step of: 

establishing at least one core service associated with the system and related to 
the user. 

24. The process of Claim 23, wherein the core service is accessible by the user, based 
on a system authentication of the principal at the identity module. 

25. The process of Claim 23, wherein the core service is accessible by a system entity, 
based on an authentication of the principal at the identity module. 

26. The process of Claim 23, wherein the core service is associated with one or more 
core service providers. 

27. The process of Claim 23, wherein the core service comprises any of an 
authentication service, a profile service, an alert service, a calendar service, and a 
wallet service. 

28. The process of Claim 22, further comprising the step of: 

translating namespaces, such that a user identity of a principal in a first 
namespace is translated to a user identity in a second namespace. 

29. The process of Claim 28, further comprising the step of: 

encrypting the user identity in the second namespace. 




Fknown to the system : 
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30. The process of Claim 22, wherein the user identity in the second namespace is 
time-bound. 

31 . The process of Claim 22, further comprising the step of: 

5 associating at least one core authentication record with the Identity, comprising 

any of services and links associated with the identity. 

32. A process, comprising the steps of: 

providing an identity provider networked to a service having a service name; 
10 establishing an identity at the identity provider for a principal, comprising 

information and a name identifier for a user; 

establishing a link between the principal and the service by the identity provider, 
based upon a receipt of a name identifier and a service name. 
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ABSTRACT OF THE DISCLOSURE 

5 An identity based service system is provided, in wliicli an identity is created and 

managed for a user or principal, such tliat at least a portion of the identity is 
available to use between one or more system entities. A discovery service 
enables a system entity to discover a service descriptor, given a service name 
and a name identifier of the user, whereby system entities can find and invoke 

10 the user's other personal web services. The discovery service preferably 

provides a translation between a plurality of namespaces, to prevent linkable 
identity information over time between system entities. 
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EXfflBIT I 



Wednesday, July 23, 2003 



Re: AOL0091 Patent Draft 'Comments due ASAPI 



Subject: Re: AOL0091 Patent Draft '''Comments due ASAP! 
Date: Wed, 23 Jul 2003 13:24:15 -0400 
From: "Conor P. Cahill" <concahiU@aoI.com> 
Oi^anization: America Online, Inc. 

To: "Jessica Pallach" <jessica@glcnn-law.com> 
References: 1,2,3 



Jessica Pallach wrote: 

> Thanks Edwin and David. I have forwarded your comments to Don for 

> incorporation. He will contact you if he has any questions. 

> As soon as I hear back from Conor and Jeromy with their addresis info, 

> X can 

> prepare the formals papers for signatures. PS, do you know their info or 

> another way to contact them? 

> Thank you for your cooperation! 

The law firm should have all my info.... This isn't my first patent 
application filled though Glenn Law. 

Anyway. . , 

Conor P. Cahill 
38580 Daymont Lane 
Waterford, VA 20197 

US Citizen. 

If it matters, I have dual citizenship (Ireland and US) born in US to 
Irish immigrants. I have always claimed US citizenship in prior 
applications. 

Conor 

> -Jessica 



> Edwin Aoki wrote: 



> > Jessica, 

> > 

> > I apologize for the delay; I was out of town for the past three weeks 

> > and am just now getting through the backlog of email. (Of course, I do 

> > recognize that I've bad this draft for loxiger than that). I've 

> included 

> > redlines in the attached document. Some are clarifications (as 

> > requested) and others are- same corrections to figure numbers based 

> on my 

> > reading of the text. I would appreciate it if yu could attenipt to 

> > verify that I interpreted the text correctly in making the corrections; 

> > this is not simple stuff, and it's been a while since we'd looked at 

> > some of this system design. 

> > Thanks again for your effort to make this understandable - or at least 

> > understandable to the folks over at the PTO. :-) 

> > het me know if you have any further questions, 

> > -Edwin 
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EXfflBIT J 



Wednesday, July 23, 2003 



Re: AOL0091 Signature forms! 



Page:1 



Subject: Re: AOL0091 Signature forms! 
Date: Wed, 23 Jul 2003 16:34:01 -0700 
From: Jessica Pallach <jessica@gIenn-law.com> 
Organization: Glenn Patent Group 

To: "Conor?. Cahill" <concahill@aol.com> . "Jim A. Rosldnd" <jar@netscape.com> . 
AOL-David Wexelblat <davidwexelblat@aoI.com>. 
AOL-Edwin Aoki <edwinaoki@aol.net> . Jeromv C^ere <sjcarriere@hotri 
Chiis Toomev <ctoomey@netscape.com> 
References: 1,2,3,4,5 

I just found out about an additional inventor. Please dis-rega; 
previous forms and sign the attached! Again, sorry! 

Chris - the application is attached for review. 

-Jessica 



"Conor P. Cahill" wrote: 

> Jessica Pallach wrote: 

> > Conor, 

> > No problem, I can fix the forms. I'm going off the list of inventors 

> > on the disclosure form in the file. Obviously, that's not correct. Is 

> > there anyone else that should be included? Is the order of inventors 

> > ok as-is (adding Jim to the bottom) ? 

> That's fine. Chris Toomey is the last that I am aware of, 
> 

> Conor 



Jessica L. Pallach 

Patent Administrator / IP Database Manager 

Glenn Patent Group 

3475 Edison Way, Suite L 

Menlo Park, CA 94025 

650-474-8400 

650-474-8401 (Fax) 

jessica@glenn-law.com 




This message is intended only for the individual to whom it is addressed 
and may contain information that is confidential, privileged, or otherwise 
exempt from disclosure under applicable law. If you are not the individual 
to whom this message is addressed, you are advised that any use, copying, 
or disclosure of this message or the contents thereof is without permission 
and contrary to law. If you receive this message in error, please call 
650-474-8400. 
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ASSIGNMENT 



WHEREAS, We, Conor P. CAHILL. David Eli WEXELBLAT. Norihiro Edwin AOKI. Jeromv CARRIERE. 
James ROSKIND.'and Christopiier Newell TOOMEY. hereinafter referred to as "ASSIGNORS", have 
invented certain new and useful improvements, as described and set forth in the below-identified 
application for United States Letters Patent: □ 

□ □ □ 

Title of Invention: IDENTITY BASED SERVICE SYSTEM 



□ □ □ Filing Date: _Serial No. 

□ □□□ 

WHEREAS, America Online. Inc. . having its principal place of business at 22000 AOL Way, Dulles, 
Virginia 20166-9323 hereinafter referred to as "ASSIGNEE", is desirous of acquiring the entire right, title, 
and interest in the said invention and application and in any Letters Patent which may be granted with 
regard to the same; □ 

□ □□□ 

NOW, THEREFORE, TO ALL WHOIVl IT MAY CONCERN: Be it known that, for One Dollar ($1.00) and 
other good and valuable consideration, ASSIGNORSD have sold, assigned, and transferred, and by these 
presents does sell, assign, and transfer unto the said ASSIGNEE, and ASSIGNEE'S successors and 
assigns, all right, title, and interest in and to said invention, said application for United DStates Letters 
Patent and any Letters Patent which may be hereafter granted on the same in the United States and all 
countries throughout the world, including any divisions, renewals, continuations in whole or part, 
substitutions, conversions, reissues, revivals, prolongation, or extensions thereof, said interest to be held 
and enjoyed by said ASSIGNEEO as fully and exclusively as it would have been held and enjoyed by said 
ASSIGNORS Dhad this assignment and transfer not been made, for all time. □ 

ASSIGNORS further agrees that they will, without charge to said ASSIGNEEO, but at ASSIGNEE'S □ 
expense, cooperate with ASSIGNEE in the prosecution of said application and/or applications, execute, 
verify, acknowledge, and deliver all such further papers, including applications for Letters Patent and for 
the reissue thereof, and instruments of assignment and transfer thereof, and will perform such other acts 
as ASSIGNEED may lawfully request, to obtain or maintain Letters Patent for said invention and 
improvement in any and ajl countries, and to vest title thereto in said ASSIGNEED, or ASSIGNEE'S 
successors and assigns. □ ^ 

IN TESTIMONY WHEREOF, ASSIGNORSD have hereunto signed their name to the assignment on the 
date indicated below. D 



Conor P. Cahill Date 

David Eli Wexelblat Date 

Norihiro Edwin Aoki Date 

Jeromy Carriere Date 

James Roskind Date 



Christopher Newell Toomey 



Date 
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DECLARATION FOR PATENT APPLICATION 



As a below named inventor, I hereby declare that: 

My residence, post office address, and citizenship are as stated below next to my name; 

I believe I am the original, first, and sole inventor (if only one name is listed below) or an original, first, and 
joint inventor (if plural names are listed below) of the subject matter which is claimed and for which a 
patent is sought on the invention entitled: 

IDENTITY BASED SERVICE SYSTEM 



the specification of which (check one) is attached hereto, or ^was filed on as 

Application Serial No. and was amended on (if applicable). 

I hereby state that I have reviewed and understand the contents of the above-identified specification, 
including the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose information which is material to the examination of this application in 
accordance with Title 37, Code of Federal Regulations, Section 1.56(a). 



I hereby claim foreign priority benefits under Title 35, United Sates Code, Section 119 of any foreign 
application(s) for patent or inventor's certificate listed below and have also identified below any foreign 
application for patent or inventor's certificate having a filing date before that of the application on which 
priority is claimed: 

Prior Foreign Application(s) Priority Claimed 

Yes No 



Number Country Day/MonthA'ear Filed 



Number Country Day/MonthAfear Filed 



POWER OF ATTORNEY: As a named inventor, I hereby appoint the following attorney(s) and/or agent(s) 
to prosecute this application and transact all business in the Patent and Trademark Office connected 
therewith: 

IVIICHAEL A. GLENN, Reg. No. 30,176 
JAMES R. BRAMSON, Reg. No. 41,632 
DONALD M. HENDRICKS, Reg. No. 40,355 
CHRISTOPHER PEIL, Reg. No. 45,005 
IWY.MAY, Reg. No. 46,925 
JULIA THOMAS, Reg. No. 52,283 

SEND CORRESPONDENCE TO: 



GLENN PATENT GROUP, 3475 Edison Way, Suite L, Menio Park, CA 94025 
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I hereby claim the benefit under Title 35, United States code, Section 120 of any United States 
application(s) listed below and, insofar as the subject matter of each of the claims of this application is not 
disclosed in the prior United States application in the manner provided by the first paragraph of Title 35, 
United States Code, Section 112, I acknowledge the duty to disclose material information as defined in 
Title 37, Code of Federal Regulations, Section 1.56(a) which occurred between the filing date of the prior 
application and the national or PCT international filing date of this application: 



Application Ser. No. Filing Date Status: Patented, Pending, Abandoned 



I hereby declare that all statements made herein of my own knowledge are true and that all statements 
made on information and belief are believed to be true; and further that these statements were made with 
the knowledge that willful false statements and the like so made are punishable by fine or imprisonment or 
both, under Section 1001 of Title 18 of the United States Code and that such willful false statements may 
jeopardize the validity of the application or any patent issued thereon. 



Full name of sole or first inventor: CONOR P. CAHILL , 

Inventor's signature ] 

Date 

Residence 38580 Davmont Lane. Waterfo rd. Virainia 20197 

Post Office Address Same 

Citizenship United States of America 



Full name of second inventor: DAVID ELI WEXELBLAT 

Inventor's signature 

Date 

Residence 1811 Vance Pla ce. Vienna. Virginia 22182 

Post Office Address Same ; 

Citizenship United States of America 



Full name of third inventor: NORIHIRO EDWIN AOKI 

Inventor's signature 



Residence 1296 Morninaside Drive. Sunnyvale. California 94087-1555 



Post Office Address Same 



Citizenship United States of America 
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Full name of fourth inventor: JEROMY CARRIERE 

Inventor's signature 

Date 

Residence 1 182 Broad Creek Place. Herndon. Virginia 20170 

Post Office Address Same : 

Citizenship United States of America 

Full name of fifth inventor: JAMES ROSKIND 

Inventor's signature 

Date 

Residence 920 Governors Bav Drive. Redwood City. California 94065 

Post Office Address Same 

Citizenship United States of America 

Full name of sixth inventor: CHRISTOPHER NEWELL TOOMEY 

Inventor's signature ■. 

Date 

Residence 23694 Black Oak Wav. Cupertino. California 95014 

Post Office Address Same : 



Citizenship United States of America 



EXHIBIT K 



From: Don Hendricks <clonhdesign@earthlink.net> 

Subject; AOL0091 Second Patent Draft for Comments ASAP 
Date: August 14, 2003 9:20:25 AM PDT 
To: Conor Cahill <ConCahill@aol.com>, Edwin Aoki <edwinaoki@aol.net>, David Wexelblat <davidwexelblat@aol.com>, 

Jeromy Can-iere <j@thecarrieres.com>, Jeromy Carriere <sjcarriere@fiotmai!.com> 
fi/ 2 Attachments, 255 KB 

Conor, Edwin, David, Jeromy, 

Attached is a second draft of the appiication and drawings for this application, which incorporates the detailed comments i 
received from Edwin, and the general comments I received from David. 

I also made several other corrbctions, and added supporting paragraphs, particularly in reference to Figures 1 -6. I also made 
several corrections in the Figures, and added identity reference characters (e.g. 2da,29b) associated with core authentication 
records(FIG. 10,FIG. 11). 

Please make your final review, and send your red-lined version, or approval to file, by Monday. August 18 . 

Thanks, 

Don Hendricks 

Patent Agent 

(831) 656-0598 Ph 

(831) 656-0598 Fax 

donhdesign@earthlirik.net 

for Glenn Patent Group 
3475 Edison Way, Suite L 
Menio Park. CA 94025 
650-474-8400 
650-474-8401 (Fax) 

This message is intended only for the individual to whom it is addressed 
and may contain information that Is confidential, privileged, or 
otherwise exempt from disclosure under applicable law. If you are not 
the Individual to whom this message is addressed, you are advised that 
any use, copying, or disclosure of this message or the contents thereof 
is without permission and contrary to law. If you receive this message 
in error, please call 650-474-8400. 
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pDENTITY BASED SERVICE SYSTEM 



RELBOFTHEtHVmOH 

file invenlon lelates to Jie feid of netwoik based services aid studiies. Mofe 
pcuiculaily, lie invenfon relates to idenfty cfeafon, maiagement, aufienfcalion, wA 
ayliorizafon Mm tor enhanced netwoilf services, 

BACKGROUND OF WE mEtmOH 

At tie pfBsent fine, ttie idenfty of an indivldu^ or user in a neW envirDnment, sudi as 
fie Intemet, is coimpiised of a lige number of pieces of Intoimaf on, tiicfi is coliected and 
lEcolecbd by a iage number of enffes. Some basic infeimafon tegiding ai individual, 
sudi as but not limited to name informafqn, address Infarmafon, idenficafon intomnalon, 
fnandal intounafon, praie infbimafon, and or piefeiBnce intotmafon, is repeatedly 
collected aid sbradatalage number of system enffes, Additional infdmnafon, sudi as a 
user nmB and password, is oeated, as necessary, such fiat tie Individu^ or user can sign 
onaidfirgmaccesstoaservicspiDVider, 

A lage number of pieces of m MiMi business and personal idenfty are tieretore 
scatteied across ai inoEasing number of system enffes, sudi as but not limited to 
commercial enies, banking and invesfnent insfWons, oedit card compailes, service 
providers, and^reducafon^ insftufons, 

Individuals aie ftiBiBtoie required to repeatedly enter mudi of fie same intoimafon, in tie 
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IDENTITY BASED SERVICE SYSTEM 



FIELD OF THE INVENTION 

5 

The invention relates to the field of networl< based services and structures. IVIore 
particularly, the invention relates to identity creation, management, authentication, and 
authorization structures for enhanced network services. 

10 BACKGROUND OF THE INVENTION 

At the present time, the identity of an individual or user in a network environment, such 
as the Internet, is comprised of a large number of pieces of information, which is 
collected and recollected by a large number of entities. Some basic information 

15 regarding an individual, such as but not limited to name information, address 
information, identification information, financial information, profile information, and or 
preference information, is repeatedly collected and stored at a large number of system 
entities. Additional information, such as a user name and password, is created, as 
necessary, such that the individual or user can sign on and/or gain access to a service 

20 provider. 

A large number of pieces of an Individual's business and personal Identity are therefore 
scattered across an increasing number of system entities, such as but not limited to 
commercial entities, banking and investment institutions, credit card companies, service 
25 providers, and/or educational institutions. 

Individuals are therefore required to repeatedly enter much of the same information, in 
the process of numerous professional and/or personal endeavors. Furthermore, as the 
information for an individual changes, the stored Information becomes increasingly 
30 impractical to manage and/or update. In addition, the numerous user names and 
passwords associated with an individual quickly becomes unwieldy, such that users 
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often forget or lose track of the information they need to access services and/or 
accounts. 

Several structures and methods have been described for identity and proxy-based 
5 networks, such as: 

E. Gabber, P. Gibbons, Y. Matias, and A. Mayer, System and Method for Providing 
Anonymous Personalized Browsing by a Proxy System in a Network, U.S. Pat. No. 
5,961,593, 05 October 1999, describes a system "For use with a network having server 

10 sites capable of being browsed by users based on identifiers received into the server 
sites and personal to the users, alternative proxy systems for providing substitute 
identifiers to the server sites that allow the users to browse the server sites 
anonymously via the proxy system. A central proxy system includes computer- 
executable routines that process site-specific substitute identifiers constructed from 

15 data specific to the users, that transmits the substitute identifiers to the server sites, that 
retransmits browsing commands received from the users to the server sites, and that 
removes portions of the browsing commands that would identify the users to the server 
sites. The foregoing functionality is performed consistently by the central proxy system 
during subsequent visits to a given server site as the same site specific substitute 

20 identifiers are reused. Consistent use of the site specific substitute identifiers enables 
the server site to recognize a returning user and, possibly, provide personalized 
service"; 

Proxy-Based Security Protocols in Networked Mobile Devices; M. Burnside, D. Clarke, 
25 T. Mills, S. Devadas, and R. Rivest; MIT Laboratory for Computer Science; 
event,declarke,mills,devada,rivest@mit.edu; 

SPKI/SDSI http Server / Certificate Chain Discovery in SPKI/SDDI; D. Clarke; MIT 
Laboratory for Electrical Engineering and Computer Science, September 2001 ; 

30 
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Grid Information Services for Distributed Resource Siiaring; K. Czajkowski, S. 
Fitzgerald, I. Foster, C. Kesselman; Proc. 10**^ IEEE Symposium on High-Performance 
Distributed Computing, 2001; 

5 Certificate Discovery Using SPKI/SDSi 2.0 Certificates; J. Elien; IVIIT Department of 
Electrical Engineering and Computer Science; May 1998; and 

Local Names in SPKI/SDSI; N. Li; NYU Department of Computer Science; Proceedings 
of the 1 3**' IEEE Computer Security Foundations Workshop. 

10 

Other systems provide various details of the operation of network identity and proxy 
systems, such as U.S. Patent No. 6,460,036, System and Method for Providing 
Customized Electronic Newspapers and Target Advertisements; U.S. Patent No. 
6,029,195, System for Customized Electronic Identification of Desirable Objects; U.S. 

15 Patent No. 5,835,087, System for Generation of Object Profiles for a System for 
Customized Electronic Identification of Desirable Objects; U.S. Patent No. 5,754,939, 
System for Generation of User Profiles for a System for Customized Electronic 
Identification of Desirable Objects; U.S. Patent No. 5,754,938, Pseudonymous Server 
for System for Customized Electronic Identification of Desirable Objects; U.S. Patent 

20 No. 6,490,620, Integrated Proxy Interface for Web Based Alarm Management Tools; 
U.S. Patent No. 6,480,885, Dynamically Matcfiing Users for Group Communications 
Based on a Threshold Degree of Matching of Sender and Recipient Predetermined 
Acceptance Criteria; U.S. Patent No. 6,473,407, Integrated Proxy Interface for Web 
Based Alarm management Tools; U.S. Patent No. 6,421,733, System for Dynamically 

25 Transcoding Data Transmitted Between Computers; U.S. Patent No. 6,385,652, 
Customer Access Solutions Architecture; U.S. Patent No. 6,373,817, Chase Me 
System; U.S. Patent No. 6,338,064, Method for Enabling a Web Server Running a 
"Closed" Native Operating System to Impersonate a User of a Web Client to Obtain a 
Protected File; U.S. Patent No. 6,259,782, One-Number Communications System and 

30 Sen/ice Integrating Wireline/Wireless Telephone Communications Systems; U.S. Patent 
No. 5,974,566, Method and Apparatus for Providing Persistent Fault-Tolerant Proxy 

3 
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Login to a Web-Based Distributed File Service; European Pat. No. EP 1094404, 
Collaborator Discovery l\/letliod and System; European Pat. No. EP 1031206, Identity 
Discovery method for Detecting Authorized Security Service Which is Illicitly 
Transferring Decoding Capabilities for use in Unauthorized Security Devices; The 
5 Session Initiation Protocol: Internet-Centric Signaling; H. Schulzrinne, J. Rosenberg; 
IEEE Communications Magazine; October 2000; How Bluetooth Embeds in the 
Environment; Lawday, G.; Electronic Product Design; Nov. 2001; and Business: 
Designing with Users in Internet Time; J. Braiterman, S. Verhage, and R. Choo; 
Interactions: Sept.-Oct. 2000. 

10 

It would be advantageous to provide an identity based service system, which does not 
require a user to create a user identity for each service provider. The development of 
such an identity based service system would constitute a major technological advance. 

15 Furthermore, it would be advantageous to provide a identity based service system, 
which allows a user to create a an identity which can be controllably accessed and 
shared by a plurality of service providers. The development of such an identity based 
service system would constitute a further technological advance. 

20 As well, it would be advantageous that such an identity based service system be 
integrated with existing site authentication and authorization structures, such that the 
identity based service system is readily used by a wide variety of sites. The 
development of such an identity based service system would constitute a further major 
technological advance. 

25 

SUMMARY OF THE INVENTION 

An identity based service system is provided, in which an identity is created and 
managed for a user or principal, such that at least a portion of the identity is available to 
30 use between one or more system entities. A discovery service enables a system entity 
to discover a service descriptor, given a service name and a name identifier of the user, 



4 



Attorney Docket No. AOL0091 PROPRIETARY INFORMATION - REVIEW DRAFT 13 August 
2003 

whereby system entities can find and involve tlie user's otiier personal web services. 
The discovery service preferably provides a translation between a plurality of 
namespaces, to prevent linkable identity information over time between system entities. 

5 BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a basic functional block diagram for an identity based service system, in 
which a service provider accesses services for a principal; 

10 Figure 2 is a flow diagram for the access of service within an identity based service 

system; 

Figure 3 is a functional block diagram of an identity based service system, comprising a 
discovery service associated with an identity provider, a web service provider, and a 
15 web service consumer; 

Figure 4 is a flow diagram for the access of service within an identity based service 
system comprising a discovery service associated with an identity provider, a web 
service provider, and a web service consumer; 

20 

Figure 5 is a functional block diagram of an identity based service system, in which a 
discovery service issues service assertions that are used to invoke services; 

Figure 6 is a flow diagram for the access of service in the identity based service system 
25 shown in Figure 5; 

Figure 7 is a functional block diagram of profile service principal core information; 



Figure 8 is a functional block diagram of a profile data entry; 

30 
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Figure 9 is a schematic view of an identity based service system configured on a virtual 
network; 

Figure 10 is a functional block diagram of a core authentication record; 

5 

Figure 11 is a functional block diagram of multiple core authentication records which are 
maintained on behalf of a plurality of identities for a user; 

Figure 12 Is a functional block diagram of multiple core authentication records 
10 maintained on behalf of a user, based upon system access through different devices; 

Figure 13 is a schematic view of namespace translation within the identity based 
service system; 

15 Figure 14 is a first schematic view. of operation for an identity based service system, in 
which user logs onto a first service provider site; 

Figure 15 is a second view of operation for an identity based service system, wherein a 
users may select system site links and/or system service links; and 

20 

Figure 16 is a third view of operation for an identity based service system, in which a 
system identity is established at an identity provider. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

25 

Figure 1 is a basic functional block diagram for an identity based service system 10a, in 
which a service provider 16 accesses services for a principal 12. Figure 2 is a flow 
diagram 30 for the access of service within an identity based service system 10. In 
Figure 1, the system entities 27 comprise an identity provider 14, a service provider 16, 
30 and a principal 12. The system entities 27 assume roles within the identity based 
service system 10. 
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A principal 12, sucli as a user or user agent, is an entity 27 that can acquire a system 
identity 29, and be autlienticated and vouched for 19 by an identity provider 14. A 
principal 12 often comprises a user, using a user agent, either a web browser or a 
5 smart web services client. 

An identity provider (IDP) 14 authenticates and vouches for principals 12, and provides 
system management for system Identities 29. A service provider (SP) 16 provides 
service to one or more requestors, such as principals 12, typically through a web 
10 consumer 48 (FIG. 3), upon proof of authentication 1 9 by the identity provider 14. 

The identity based service system 10a shown in Figure 1 provides a web services- 
based service infrastructure that enables users U to manage the sharing of their 
personal information across an Identity provider 14 and service providers 16. In some 
15 system embodiments 10, the system 10 also provides one or more personalized 
services 116, e.g. 116a, 116b, 116c, and/or 116d (FIG. 9) for users U (FIG. 11). 

For example, a user U, through a principal 12, is able to authorize a service provider 16 
to access his or her contact data 94a (FIG. 7), such as shipping address data 96, e.g. 

20 96a (FIG. 7), while processing a transaction. Principals 12 are able to use 
sophisticated clients that support web services. In addition to traditional browser- 
oriented user agents. In some system embodiments, web services are defined as 
simple object access protocol binding (SOAP) over http calls, comprising header blocks 
and processing rules, which enable the system 10 to invoke identity services 116, 

25 through SOAP requests and responses. 

The identity based system framework 10 enables service providers 16 and other 
system entities 27 to craft and offer sophisticated services, including multi-provider- 
based services 116, e.g. 116a, 116b, 116c, and/or 116d (FIG. 9). 
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As seen in Figure 2, a principal 12, such as a user or user agent, logs in 18 and 
receives an IDP assertion 19 from the identity provider 14. The principal then 
authenticates 20 at the service provider 16, with the received IDP assertion 19. The 
service provider 16 then requests 22 a service descriptor 26 and assertion for service 
5 28 at the identity provider 14. Based upon the request 22, the service provider 16 
receives 23 the service descriptor 26 and assertion for service 28 from the identity 
provider 14. The service provider 16 then Invokes service 24 with the received 
assertion for service 28, such as at the identity provider 14, or with an associated 
system entity 27, e.g. such as a web service provider 54 (FIG. 3, FIG. 5). 

10 

Figure 3 is a functional block diagram 40 of an identity based service system 10b, which 
further comprises a discovery service 42 associated with the identity provider 14, a web 
service provider 42, and a web service consumer 48. Figure 4 is a flow diagram 60 for 
the access of service within an identity based service system 1 0b. 

15 . 

As seen in Figure 3 and Figure 4, a principal 12, such as a user or user agent, logs in 
18 and receives 19a an IDP assertion and discovery service descriptor from the identity 
provider 14. The principal then authenticates 44 at the service provider 16, with the 
received IDP assertion and discovery service descriptor 19a. The web service 

20 consumer 48 associated with the service provider 16 then requests 50 a service 
descriptor 26 and assertion for service 28 at the discovery service 42 associated with 
the identity provider 14. Based upon the request 50, the service provider 16 receives 
51 the service descriptor 26 and assertion for service 28 from the discovery service 42. 
The service provider 16 then Invokes service 52, e.g. 52a (FIG. 4), with the received 

25 assertion for service 28, at a web service provider 54. 

A web service provider (WSP) 54 hosts personal web services 116 (FIG. 9), such as a 
profile service 116b (FIG. 9), while a web servicfe consumer (WSC) 48 invokes web 
services 116 at web service providers WSP 54. With appropriate identification and 
30 authorization, a web service consumer 48 is able to access the user's personal web 
services 1 16, by communicating with the web service provider endpoint 54. 
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As seen in Figure 3, the identity provider IDP 14 provides autlientication 19, e.g. 19a, to 
the principal 12, based upon a successful log in 18. The principal 12 then interacts with 
the service provider 16, and relays the authentication information 19, comprising an IDP 
5 assertion 45 and a discovery service descriptor 26. 

The service provider SP 16, acting as a web service consumer 48, uses the discovery 
service 42, to determine whether the principal 14 is enabled for a particular service 116, 
and to obtain the necessary assertions which authorize use of the service 116. The 
10 policy framework addresses whether the principal 12 is enabled for some particular 
service, and if so, what fine-grained methods are allowed, and what data is to be 
returned. Web service security is typically applied to all messages flowing between 
system entities 27. 

15 As seen in Figure 3, the identity based service system 10b comprises a web-service 
infrastructure, which comprises the discovery service 42, service invocation 52, a 
permission and authorization framework, a change management framework, as well as 
a mobile infrastructure. 

20 In some system embodiments 10, web service consumers 48 are hosted on a server at 
a service provider 54. In alternate system embodiments 10, web service consumers 48 
are hosted on a user device 192 (FIG. 14). 

A discovery device (DS) 44 is typically hosted by an identity provider (IDP) 14, and 
25 enables web service consumers 48 to discover service endpoint information 96 (FIG. 7) 
associated with the personal web services 1 16 of a user U. 

Architectural Components. The identity based service system 10 comprises the 
following iarchitectural components: 

30 
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Services. A service is a grouping of common functionality. For example, a core 
profile service 116b (FIG. 9) handles all interaction to do with user profile 
information 96. Services typically offer one or more methods callers use to 
manipulate the information managed by the service, and are typically scoped in 
5 the context of a particular principal 12, e.g. GetProfile (Principal) accesses the 

principal's entire set of profile data. 

Services may be either RPC-style or one-way exchanges. In RPC-based 
exchanges, the Web Services Consumer 48 is the requestor 50, and the Web 
10 Services Provider 54 is the responder 51 . 

Schemas. Schemas describe the syntax and relationships of data. Each 
service element 116 comprises an associated schema for the data that is 
relevant to the service element 116. For example, the profile service 116b 
15 comprises schema elements 96 which are relevant to a profile 94, such as but 

not limited to a name, an address, and a phone number for a user U. 

System Entity Roles. System Entities may assume one or more roles. 

20 As seen in Figure 3, service descriptors 26 are used to locate a system service 54, 
while service assertions 28 are used as credentials, to access the system service 54. A 
service descriptor 26 typically describes a SOAP endpoint for an identity based system 
service 54. A service assertion 28 is an assertion used as a credential to access an 
identity based system service 54. 

25 

Discovery Service Overview. In the identity based service system 10, the personal 
web services 116 for a user U are preferably distributed across multiple web service 
providers 54. Therefore, web service consumers 48 comprise a means for discovering 
service locations 54. The discovery service 42 is a personal web service which enables 
30 system entities 27 to discover a service descriptor 26, given a service name and a 
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user's name identifier 174 (FIG. 13), wfiereby a web service consumer 48 is able to find 
and invoke tlie web services 54 of a user U. 

Figure 5 is a functional block diagram 70 of an identity based service system 10c, In 
5 which a discovery service 42 Issues service assertions 28 that are used to Invoke 
services 54. Figure 6 is a flow diagram 80 for the access of service 54 in the Identity 
based service system 10c shown in Figure 5. 

As seen in Figure 5 and Figure 6, a principal 12, such as a user or user agent, logs in 
10 18 and receives 19b an IDP assertion and discovery service descriptor from the Identity 
provider 14. The principal then authenticates 44 a service provider 16 that Is 
associated 46 with the Identity provider 14, with the received IDP assertion and 
discovery service descriptor 19b. A web service consumer 48 associated with the 
service provider 16 then requests 50 a service descriptor 26 and assertion for service 
15 28 at the discovery service 42 associated with the identity provider 14. Based upon the 
request 50, the service provider 16 receives 51 the service descriptor 26 and assertion 
for service 28 from the discovery service 42. The service provider 16 then invokes 
service 52, e.g. 52a (FIG. 4), with the received assertion for service 28, at a site or web 
service provider 54 that is associated 72 with the identity provider 14. 

20 

Because of the pseudonymous identity of users in the identity based service system 10, 
web service consumers 48 and web service providers 54 do not have a common name 
for a user U. The identity provider 14 of a user U is the system entity 27 that maps 
between the disparate namespaces 176,182 (FIG. 13). As seen In Figure 13, the 
25 discovery service 42, which is hosted by the identity provider 14, provides this 
namespace translation. 

The web service consumer 48 prompts the name translation service, by sending the 
user's name 174a In the WSC-IDP namespace 176, to the identity provider 14. The 
30 identity provider 14 hands back a user name 174b in the WSP-IDP namespace 182, 
within a format that the web service consumer 48 is blinded to this name, via encryption 
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184. The encrypted value 184 of the name 174b is preferably different each time the 
name 174a,174b is used, such that there is no linkable identity information over time 
between the web service consumer 48 and the web service provider 54. This name 
translation assertion 28 is also preferably time-bound, to prevent long-term use of a 
5 translated name 174b, and to prevent linking of the actions of a principal 12. 

In the identity based service system 10, the user's identity provider 14 always hosts the 
discovery service 42, since the discovery service 42 must be aware of the pair-wise 
identifier relationships 174a, 174b between parties 27. 

10 

In response to a discovery request, the service 42 returns 52 a service descriptor 26 
that points to a particular web service provider 54. Additionally, a translated name 174b 
and relevant security tokens 186 (FIG. 13) are typically included as well. Some 
discovery services 42 enforce user presence requirements on web service consumers 
15 48, and/or enforce one or more authorization rules on each web service consumer 48. 

The discovery service 42 also provides an administrative interface, whereby a set of 
services 116 for a user can be configured. Services may be registered and 
unregistered. 

20 

Profile Service. Figure 7 is a functional block diagram 90 of profile service 116b (FIG. 
9) principal core information 92. A profile service 90 manages the core personal 
information 92 for a principal 12. The core personal information 92 typically comprises 
a plurality of data types 94a-94n, such as contact data 94a, demographic data 94b, 
25 and/or core preferences 94n. 

A profile service 116 (FIG. 9) allows principals 12 to create a profile 92, to update 
profile data 94a-94n, and to specify privacy controls 98. Once a user creates a profile 
92, the profile 92 can be used at any of the system web service consumer 48 sites, 
30 such that principals 12 are not required to re-enter data, such as on a registration form. 
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Figure 8 is a functional block diagram of a profile data entry. Each profile data entry 96 
is typically associated with a collection of metadata 107, comprising but not limited to 
data categories 102, change timestamp information 104, data validation information 
106, and/or creator Information 108. 

5 

Data category information 102 allows information to be classified as applicable, such as 
to define a home or business profile. For example, an address can be classified as a 
home and/or a business address. Data categories 102 are typically defined by web 
service providers 54, by web service consumers 48, and/or by principals 12. 

10 

Change timestamps information 104 typically comprises a number 105, e.g. 105a, 
which represents the latest modification time of a particular node and associated 
descendants. 

15 Data validation information 106 comprises an indication of whether the data content 94 
has been validated or not. If the data content 94 is validated, the information may 
preferably comprise what type of validation was performed, and when the validation 
was performed. A web service consumer 48 typically uses metadata 1 07. 

20 Figure 9 is a schematic view 110 of an identity based service system 10 configured on 
a virtual network 112. The virtual network 112, provides a single set 114 of services 
116a-116n, which are provided by one or more contributors 118a-118j. The virtual 
network 112 formed within the identity based service system 10 provides one or more 
core services 116. 

25 

In some basic embodiments of the identity based service system 10, the core services 
comprise a basic authentication service 116a. In alternate basic embodiments of the 
identity based service system 1 0, the core services comprise both an authentication 
service 1 16a and a profile service 1 16b. In some preferred embodiments of the identity 
30 based service system 1 0, the core services comprise a variety of services, such as an 
authentication service 116a, a profile service 116b, an alert service 116c, and/or a 
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wallet service 11 6n. 

The identity based service system 10 also supports other value-added services 116 for 
a user, such as a calendar service and/or an address book service. The identity based 
5 service system 10 provides access for a wide variety of web consumer sites 120a-120k, 
such as large business sites 120a and/or small business sites 120k. 

As seen in Figure 9, service consumers 48 comprise sites which use services 116 from 
the network 112. As seen through a site 120, the services 116 presented by the virtual 
10 network 112 preferably look like a single set 114 of services 116, i.e. from a single 
provider 1 1 8 of services, even though the services are typically provided by any number 
of contributors 1 1 8a-1 1 8j. 

The core service provider 118b shown in Figure 9 provides one or more core services 
15 116, e.g. 1 16a-1 16n, on the virtual network 112. While some basic services, such as a 
profile service, are currently available through some Internet providers, such services 
are separate and distinct. In the identity based service system 10, the various services 
116, e.g. 1 16a-1 16n, are aware of each other and of the virtual network 112. 

20 As seen in Figure 9, the identity based service system 10 preferably comprises a 
plurality of service contributors, i.e. vendors 118a-118j. While different 118 vendors 
typically contribute different sets of varying services 116, the source of a service 1 16 is 
typically transparent to users U as they interact with the recipient sites 120. 

25 Levels of Trust and Integration. The identity based service system 10 preferably 
provides varying levels of trust and integration. For example, as seen in Figure 9, a 
small retail site 120k typically comprises a low level of trust, such that a user U is 
typically asked to confirm transactions, through redirect exchanges with the system 10. 

30 A larger site 120, such as a large retail site 120a or an auction site 120b, which is 
integrated with the network 112 and is able to perform tasks on behalf of the user U, 
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e.g. get money from a wallet 116n, typically has a higher level of trust with the system 
10. 

Core service providers 118, such as providers 118a-118j of core services 116, typically 
5 have a high level of trust with the system 10, and are able to perform system functions 
on behalf of a user U. In addition, core service providers 118 which provide 
authentication 116a have the highest level of service requirements, and inherently 
require the highest level of trust within the system 10. 

10 Service Invocation. In order to enable interactions between multiple endpoints within 
a circle of trust, the discovery service 54 issues service assertions 28 (FIG. 3, FIG. 5) 
that can be used by service consumers 48, such as to access other service providers 
54. 

15 In some embodiments of the identity based service system 10, messages can be 
routed and be transported through multiple hops. Additionally, message-level 
confidentiality is employed for sensitive data in multi-hop cases where confidentiality is 
required. 

20 The target service provider 54 does not simply consume the service assertion 28. 
Relevant policy is enforced to ensure that the service invocation is in line with the 
principal's policies. 

Authentication. Most system services require requester authentication. Additionally, 
25 the response is authenticated. For example, a user authentication comprises a 
determination of the identity 29 of a user U. Online authentication can take many forms, 
such as a stored browser cookie, a user name/password combination, or stronger 
technologies such as smart cards or biometric devices. 

30 In the identity based service system 10, the user's identity 29 is authenticated, in 
accordance with privacy and security policies . The evidence of authentication for a 
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user U comprises the user identity 29, in addition to guarantees of authentication. The 
evidence of authentication for a user U refers to stored and/or passed data that 
indicates that a user is authenticated, and which can be interrogated to verify the 
authentication. 

5 

As an example, web sites often store a cookie to provide personalization information 
about their site for the user. However, for e-commerce transactions, that same web site 
may require a user to explicitly supply an ID and password. While both stored cookies 
and ID/passwords are authentications, an ID/password authentication is stronger than 
10 an authentication provided by a stored cookie. The use of different forms of 
authentication allows a site to balance user convenience with its security policies, as 
needed. 

System Authorization. While user authentication determines the identity 29 of the 
15 user U, authorization is the process of determining what an authenticated user U is 
allowed to do, and the determination any services and/or entities 27 which are allowed 
to act on behalf of the user U. 

For example, a web site that provides access to bank account information may be 
20 configured to allow only the primary account holder to transfer funds to/from the 
account, but allow all members of the family to view the current account balance. While 
each user U is authenticated, only one user U is able to perform authorized activities. 

Another example would be that of a network payment service (or smart wallet) 11 6n 
25 (FIG. 9, FIG. 10), which contains credit card information and/or cash account 
information 118. A user U of a wallet service 116n can controllably authorize a service 
provider 54 to access credit card information and/or cash account information. In this 
case, the user U is authenticated, and authorized to control the payment service, while 
the service provider 54 is also authenticated, but authorized only to access the credit 
30 card information. 
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As shown above, some embodiments of the identity based service system 10 feature a 
delegation of authorization, wherein a user U is not required to navigate to a payment 
site to authorize a transaction. For example, while a user U shops at a web site 120, 
during a checkout process, a system enabled web site 120 may access the 
5 payment/wallet service 116n, on behalf of the user U, wherein the user has delegated 
authorization to the web site to act on his behalf with the payment service 1 16n. 
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User Identities. In the identity based service system 10, an identity 29 of a user U 
comprises a persona for that user. Figure 10 is a functional block diagram of a core 
authentication record (CAR) 132, which is maintained on behalf of a user U, such as by 
the identity provider 14. Figure 11 is a functional block diagram of multiple core 
5 authentication records (CAR) 132a, 132b, which are maintained on behalf of a user U. 
Some preferred embodiments identity based service system 10 comprise support for 
multiple identities 29, i.e. personifications or personas, for a user U, wherein a user may 
interact differently, such as within different environments. As seen in Figure 1 1 , a user 
U can preferably have more than one identity 29. For example, a user U can have one 
10 identity 29 for personal information, another identity 29 for business information, and a 
third identity for "anonymous" web access. 

The use of multiple identities 29 allows users U to store relevant information associated 
with each identity 29, and use or expose the information only as needed. For example, 

15 as seen in Figure 1 1 , "Financial Entity A" 1 1 8j, such as corporate credit card information 
118], is associated with a first entity 29a, e.g. business identity 29a, for a user U, and is 
located in the wallet 116n within work authentication record 132a. However, the 
"Financial Entity A" corporate credit card information 118j shown in Figure 11 is not 
associated with a second entity 29b, e.g. home or personal identity 29b, for the user U, 

20 and is therefore not located in the wallet 116n associated with the home or personal 
authentication record 132b. 

Similarly, an "anonymous" identity 29 would typically comprise no personally-identifiable 
information, enabling use of that identity 29 in appropriate situations. 

25 
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Scopes of Authentication. Network authentication occurs when a user's evidence-of- 
authentication 19, e.g. 19b (FIG. 4), are issued by a network authentication service 
116a (FIG. 10), and enables a user U to access sites and services on the network 112. 
This enables single-sign on features, wherein all network participants accept network 
5 evidence-of-authentication, in accordance with their own site policies, e.g. level of 
authentication required, and in accordance with user opt-in choices. 

In addition, a local authentication may occur, such as when evidence of authentication 
for a user U is issued by a local site/service, using its own authentication facilities, 
10 wherein the evidence of authentication is only valid for that specific site or service. A 
local authentication does not inherently carry with the user U from one site to another, 
and does not allow the site or service to access network services on behalf of the user 
U. 

15 Some embodiments of the identity based service system 10 provide both forms of 
authentication, whereby the system 10 can be integrated with sites that already have an 
authentication system. 

Requester identity, such as that of a web consumer 48, is established by the inclusion 
20 of a security token 186 (FIG. 13), which represents the identity of the requestor, and the 
signing of relevant portions of the message with the key material implied by the security 
token 186. The security token 186 may be an X.509 certificate, a Kerberos ticket, an 
SAML assertion, a username & associated password, or any other valid security token 
186, as deemed necessary by the web service provider 54. Additionally, a replay 
25 protection is preferably employed, such as a nonce-based challenge-response protocol, 
a timestamp included in the signature, or other replay protection mechanism. 

The responder's identity can be authenticated, such as by validating that the signature 
of the response (containing the original RequestID) is signed. 

30 
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Long-Lived Access to Services. In some alternate system embodiments 10, 
pursuant to the approval of a user U, the discovery service 42 assures long-lived 
service assertions to a web service consumer 48, such that the web service consumer 
48 can repeatedly invoke a service at the web service provider 54. Continual 
5 acceptance of the service assertion 28 at the web service provider 54 is dependent on 
user approval of continued access of the service at the web service provider 54. 

However, in system embodiments 10 wherein revocation is desired to be controlled by 
the identity provider 14 and associated discovery service 42, the discovery service 42 
10 prevents long-lived service assertions to a web service consumer 48. 

Service Infrastructure. While current system embodiments 10 comprise a profile 
service (PS) 116 (FIG. 9), the identity based service system 10b preferably comprises a 
complete services infrastructure, such that the profile service 1 16, as well as other 
15 services, may be built on top of web service standards. 

For example, the infrastructure is typically accessible via SOAP over http calls, as 
defined by WSDL descriptions, and use agreed-upon schemas, such that the web 
services infrastructure transparently supports both static and dynamic data. An 
20 example of static data is a basic profiling service that returns an e-mail address. An 
example of dynamic data is that of an infrastructure served by a calendar service, which 
return calendar appointments. 

Services, which for example may include a user's profile 116b, wallet 116n, or 
25 calendars/alerts 116c, typically comprise a set of logically related functionality, and 
comprise collections of attributes and service calls. 

Core Authentication Records. The core authentication record (CAR) 132 shown in 
Figure 10 is maintained on behalf of a user U, such as by the identity provider 14. The 
30 core authentication record 132 comprises links 136,140 to sites 120a-120k which are 
associated through the identity based sen/ice system 10. The core authentication 
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record 132 is also linked to an ACL or other access control mechanism 134, and to 
services 138, such as core services 116, as provided by core service providers 118 or 
other web services (not shown) operating within the identity based service system 10. 

5 As seen in Figure 11, one or more core authentication records (CAR) 132, e.g. 
132a, 132b, may preferably be maintained on behalf of a user U, in embodiments of the 
identity based service systerti 10 which comprise support for multiple identities 29, i.e. 
personifications or personas, for a user U, wherein a user may interact differently, such 
as within different environments. 

10 

For example, users U often look at their work personification as different and distinct 
from their home personification, with different sites 120 visited, different credit cards 
1 16n, and sometimes even different alert mechanisms 1 16c. 

15 As seen in Figure 11, multiple core authentication records (CAR) 132a,132b are 
preferably supported by the identity based service system 10, whereby a user U 
selectively logs in 18 to one or more core authentication records 132. 

The links 136 also preferably include quick-links 140 between accounts 132. Once as 
20 user U logs in 18 to either account 132, they can switch between the accounts 132, e.g. 

from 132a to 132b, on an as needed or as desired basis, without logging in 18 again. 

For example, as seen in Figure 11, a user U within a work authentication record 132a 

can link 140d to the associated home authentication record 132b for the user U. 

Similarly, the user U within a home authentication record 132b can link 140g to the 
25 associated work authentication record 1 32a for the user U. 

Figure 12 is a functional block diagram 160 of multiple core authentication records 
(CAR) 132a, 132b, which are maintained on behalf of a user U, based upon the use of 
different devices 192a, 192b (FIG. 14). The identity based service system 10 also 
30 preferably comprises support for multiple devices 192 for a user U, wherein a user logs 
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on 18 to the system through any of a plurality devices 192, such as through a desktop 
computer 192a in an office, or through a mobile device 192b at any location. 

While the user U may retain a similar identity while operating different devices, such as 
5 a work identity, the chosen services 138,116 and links 136,140 linked to the 
authentication records 132a, 132b may be chosen or selected as suitable for the device 
192. For example, an extended alert list 116c may be linked to a desktop computer 
192a, while an abbreviated alert list 116c be linked to a mobile device 192b, such as a 
personal digital assistant 192b, or an Internet enabled cell phone 192b. Similarly, a 
10 wide variety of web site links 140 may be linked to a desktop computer 192a, while only 
a few key web site links 140 may be linked to a mobile device 192b. 

While much of the identity 29, services 116, and/or core providers 118 may be shared 
between authentication records 132a, 132b in Figure 12, the authentication records 
15 132a, 132b provide a customized operating environment for a user U, which is based on 
the device 192 from which the user U logs in 18. 

System Advantages. The Identity based service system 10 provides significant 
advantages over conventional identity and service structures. Through the 
20 establishment of a system identity 29, a user U can quickly provide information as 
needed to system entities 27, while controlling how the information is distributed. The 
use of a secure and centralized identity structure provides controlled authentication and 
authorization of all system entities 27. 

25 Through the use of detailed identity information, the identity based service system 10 
provides unique value-added services, such as fast sign-in 18, a customized personal 
network environment, and quick links 140 to existing and new associated web service 
providers 120. 

30 System Operation. Figure 14 is a schematic view 190 of a user logging onto a first 
service provider site 120, wherein the user does not currently have a system identity 29. 
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In the process of registering as a user at the site 120, the user typically establishes a 
user name 194 and password 196, and enters appropriate information to operate within 
the site 120, such as nanie, address, and/or credit information 96. 

5 Figure 15 is a second view 200 of operation for an identity based service system 10, 
wherein the user is asked if an identity based service system identity 174 is desired, to 
easily establish relationships with other providers 120, such as through selectable 
member site links 202, and/or to establish or manage system services 116, e.g. such as 
to establish a profile service 116b or a wallet service 116n, through selectable service 
10 links 204. 

Figure 16 is a third view 210 of operation for an identity based service system 10, in 
which a system identity 29 is established at an identity provider 14. The information 
gathered from the first site 120 is securely stored in the identity provider 14. The user U 
15 may easily chose one or more member site links 202 and/or service links 204, typically 
from an identity service selection screen 206. 

Although the identity based service system and its methods of use are described herein 
in connection with personal computers, mobile devices, and other microprocessor- 
20 based devices, such as portable digital assistants or network enabled cell phones, the 
apparatus and techniques can be Implemented for a wide variety of electronic devices 
and systems, or any combination thereof, as desired. 

As well, while the identity based service system and its methods of use are described 
25 herein in connection with interaction between a principal and a network through a 
device, the use of identity based services can be implemented for a wide variety of 
electronic devices and networks or any combination thereof, as desired. 

Accordingly, although the invention has been described in detail with reference to a 
30 particular preferred embodiment, persons possessing ordinary skill in the art to which 
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this invention pertains will appreciate that various modifications and enhancements may 
be made without departing from the spirit and scope of the claims that follow. 
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What is claimed is: 

5 1 , An identity based service system, comprising: 

at least one principal comprising at least one identity comprising user information; 
an identity provider for managing at least one identity for the principal, and for 
authenticating the principal; and 

a system entity which is accessible by the principal, based on an authentication 
10 of the principal by the identity provider, and based on retrieval of at least a portion of 
user information from the identity provider. 

2. The identity based service system of ciaim 1, further comprising: 

at least one core service associated with the system and related to at least a 
15 portion of the user information. 

3. The identity based service system of Claim 2, wherein the core service is accessible 
by the user, based on an authentication of the principal by the identity provider. 

20 4. The identity based service system of Claim 2, wherein the core service is accessible 
by the system entity, based on an authentication of the principal by the identity provider. 

5. The identity based service system of Claim 2, wherein the core service is associated 
with one or more core service providers. 

25 

6. The identity based service system of Claim 2, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 
and a wallet service. 
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7. The identity based service system of Claim 1, wfierein the identity provider further 
comprises means for translating namespaces, such that a user identity of a principal in 
a first namespace is translatable to a user identity in a second namespace. 

5 8. The identity based service system of Claim 7, wherein the user identity in the second 
namespace is encrypted. 

9. The identity based service system of Claim 7, wherein the user identity in the second 
namespace is time-bound. 

1 0. The identity based service system of Claim 1 , further comprising: 

at least one core authentication record associated with the identity, comprising 
any of services and links associated with the identity. 

15 11. An identity based service system, comprising: 

an identity module for managing an identity for a user; 

a discovery module associated with the identity module and adapted to receive a 
user name identifier associated with the user and a service name known to the system; 

means for discovering a service descriptor for the user, based on a received 
20 name identifier and a service name; and 

whereby at least one web service is accessible, based upon the discovered 
service descriptor and the name identifier. 

12. The identity based service system of Claim 1 1 , further comprising: 

25 at least one core service associated with the system and related to the user. 

13. The identity based service system of Claim 12, wherein the core service is 
accessible by the user, based on a system authentication of the principal at the identity 
module. 
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14. The identity based service system of Claim 12, wlierein the core service is 
accessible by a system entity, based on an authentication of the principal at the identity 
module. 

5 15. The Identity based service system of Claim 12, wherein the core service is 
associated with one or more core service providers. 

16. The identity based service system of Claim 12, wherein the core service comprises 
any of an authentication service, a profile service, an alert service, a calendar service, 
10 and a wallet service. 



17. The identity based service system of Claim 11, wherein the Identity module further 
comprises means for translating namespaces, such that a user identity of a principal In 
a first namespace is translatable to a user identity in a second namespace. 

18. The identity based service system of Claim 17, wherein the user identity in the 
second namespace is encrypted. 



19. The identity based service system of Claim 17, wherein the user identity in the 
20 second namespace is time-bound. 



20. The identity based service system of Claim 1 1 , further comprising: 

at least one core authentication record associated with the identity, comprising 
any of services and links associated with the identity. 

21. The system of Claim 11, wherein the principal is located at a device linked to the 
identity based service system. 



22. An Identity based service process, comprising: 
30 providing an Identity module for managing an identity for a user; 
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receiving a user name identifier associated witli the user and a service name 
l<nown to tfie system; 

discovering a service descriptor for tlie user, based on a received name identifier 
and a service name; and 
5 controllably authenticating access to a service, based upon the receipt of the 

discovered service descriptor and the name identifier. 

23. The process of Claim 22, further comprising the step of: 

establishing at least one core service associated with the system and related to 
10 the user. 



24. The process of Claim 23, wherein the core service is accessible by the user, based 
on a system authentication of the principal at the identity module. 

15 25. The process of Claim 23, wherein the core service is accessible by a system entity, 
based on an authentication of the principal at the identity module. 

26. The process of Claim 23, wherein the core service is associated with one or more 
core service providers. 

20 

27. The process of Claim 23, wherein the core service comprises any of an 
authentication service, a profile service, an alert service, a calendar service, and a 
wallet service. 



25 28. The process of Claim 22, further comprising the step of: 

translating namespaces, such that a user identity of a principal in a first 
namespace is translated to a user identity in a second namespace. 



29. The process of Claim 28, further comprising the step of: 
30 encrypting the user identity in the second namespace. 
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30. The process of Claim 22, wherein the user identity in the second namespace is 
time-bound. 

31 . The process of Claim 22, further comprising the step of: 

associating at least one core authentication record with the identity, comprising 
any of services and links associated with the identity. 

32. A process, comprising the steps of: 

providing an identity provider networked to a service having a service name; 

establishing an identity at the identity provider for a principal, comprising 
information and a name identifier for a user; 

establishing a link between the principal and the service by the identity provider, 
based upon a receipt of a name identifier and a service name. 



29 



Attorney Docket No. AOL0091 
2003 



PROPRIETARY INFORMATION - REVIEW DRAFT 

Identity Based Service System 



13 August 



ABSTRACT OF THE DISCLOSURE 

An identity based service system is provided, in which an identity is created and 
managed for a user or principal, such that at least a portion of the identity is 
available to use between one or more system entities. A discovery service 
enables a system entity to discover a service descriptor, given a service name 
and a name identifier of the user, whereby system entities can find and invoke 
the user's other personal web services. The discovery service preferably 
provides a translation between a plurality of namespaces, to prevent linkable 
identity information over time between system entities. 
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From; Edwin Aoki <edwinaoki@aol.net> 
Subject; Re: AOL0091 Second Patent Draft for Comments ASAP 
Date: August 14, 2003 9:34:15 AM PDT 
To: Don Hendricks <donhd©sign@earthlink.net> 
Cc: Conor Cahil! <ConCahill@aol.com>, David Wexelblat <davidwexelblat@aol.com>, Jeremy Carriere 
<j@ttiecarrieres.com>, Jeremy Carriere <sjcarriere@liotmail.com>, jar@roskind.com, Cfiris Toomey 
<ctoomey@aol.com> 

Don, 

I am fonwarding your request to Jim Roskind and Cliris Toomey, two additional inventors wiio were inadvertentiy left off of tlie 
original message. Jim can be reached at jar@roskind.com, and Chris at ctoomey@aol.com. Both are copied on this message. 

Thanks, 
-Edwin 



Don Hendricks wrote: 
Conor, Edwin, David, Jeromy, 

Attached is a second draft of the application and drawings for this application, which incorporates the detailed comments I 
received from Edwin, and the general comments I received from David. 

I also made several other corrections, and added supporting paragraphs, particularly in reference to Figures 1-6. 1 also made 
several corrections in the Figures, and added identity reference characters (e.g. 29a,29b) associated with core authentication 
records(FIG. 10, FIG. 11). 

Please make your final review, and send your red-lined version, or approval to file, by _Monday, August 18_. 

Thanks, 

Don Hendricks 

Patent Agent 

(831) 656-0598 Ph 

(831) 656-0598 Fax 

donhdeslgn@earthlink.net 

for Glenn Patent Group 
3475 Edison Way, Suite L 
Menlo Park, CA 94025 
650-474-8400 
650-474-8401 (Fax) 

This message is intended only for the individual to whom it is addressed 
and may contain information that is confidential, privileged, or 
otherwise exempt from disclosure under applicable law. If you are not 
the individual to whom this message is addressed, you are advised that 
any use. copying, or disclosure of this message or the contents thereof 
is without permission and contrary to law. if you receive this message 
in error, please call 650-474-8400. 
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Subject: AOL0091 - Final Draft for filing & Inventor Disclosure Form ^ 
Date: Fri, 29 Aug 2003 09:53 :03 -0700 S 
From: Don Hendiicks <donhdesign@earthlink.net> 
To: Jessica® g]gon-law.com 

Jessica 

Here's the final draft of the Application for this project. I also filled out the Inventor Disclosure form, based on 
the information & documents received from the inventors. I Fedexed 3 sets of formal drawings (16 Figures on 16 
sheets) to you, for delivery this AM. 



Also attached if the last email from Conor Cahill with his approval to file. FYI- Conor was the only inventor to 
review and approve the final drafts of the Application (3rd draft) & Figures (4th draft). 

If there's anything else I need to do on this, please let me know. 

Thanks, 



Don 



j Part 1.1.2 



Type: Macintosh File 
Download Status: Not downloaded with message 



| Part 1.1.4 



Type: Macintosh File 
Download Status; Not downloaded with message 



From: "Conor P. Cahill" <concahill@aol.com> 

Date: Fri Aug 29, 2003 08:53:15 AM US/Pacific 

To: "Don Hendricks" <donhdesign@earthlink.net> 

Subject: Re: AOL0091 Fourth Draft of Figures for Comments ASAP 

Don Hendricks wrote on 8/28/2003, 4:34 PM: 

Conor, 

I'm assuming from your last e-mail that both the application and 
drawings are acceptable for filing. 

Yes, that is correct. 

I'll also update the AOL Inventor Disclosure Document; if other 
information is requested for the document, I may contact you as needed. 

Ok. 



Conor 



